CVE-2022-41874

Name of the Vulnerable Software and Affected Versions Tauri versions prior to 1.0.7 Tauri versions prior to 1.1.2

Description The issue is related to an Incorrectly-Resolved Name, where incorrect escaping of special characters in paths selected via the file dialog and drag and drop functionality allows for a partial bypass of the fs scope definition. This bypass is limited to neighboring files and subfolders of already allowed paths. The impact varies across Windows, MacOS, and Linux due to differences in valid path characters. A successful bypass requires a user to select a pre-existing malicious file or directory during the file picker dialog and an adversary-controlled logic to access these files.

Recommendations For versions prior to 1.0.7, update to version 1.0.7 or later. For versions prior to 1.1.2, update to version 1.1.2 or later. As a temporary workaround, disable the dialog and fileDropEnabled component inside the tauri.conf.json.