CVE-2024-35222

Name of the Vulnerable Software and Affected Versions Tauri versions prior to 1.6.7 Tauri versions prior to 2.0.0-beta.19

Description The issue allows remote origin iFrames in Tauri applications to access the Tauri IPC endpoints without being explicitly allowed. This bypasses the origin check and enables iFrames to access the IPC endpoints exposed to the parent window. For exploitation, an attacker must have script execution in a script-enabled iFrame of a Tauri application. Valid commands with potentially unwanted consequences could be invoked by an attacker controlling the content of an iframe running inside a Tauri app.

Recommendations For versions prior to 1.6.7, consider using a dedicated window for untrusted origins instead of iFrames, or disable script execution within the iFrame as a workaround. For versions prior to 2.0.0-beta.19, use either a dedicated window or multiple WebViews in the main window to simulate iFrame behavior on Linux, or use dedicated windows or disable script execution inside the iFrame on other platforms. Update to version 1.6.7 or later for v1 Tauri applications. Update to version 2.0.0-beta.19 or later for v2 Tauri applications.