CVE-2022-39215

Name of the Vulnerable Software and Affected Versions Tauri versions prior to 1.0.6

Description Due to missing canonicalization when readDir is called recursively, it was possible to display directory listings outside of the defined fs scope. This required a crafted symbolic link or junction folder inside an allowed path of the fs scope. No arbitrary file content could be leaked.

Recommendations For versions prior to 1.0.6, upgrade to version 1.0.6 or later. As a temporary workaround for users unable to upgrade, disable the readDir endpoint in the allowlist inside the tauri.conf.json.