CVE-2022-41874 - Tauri Filesystem Scope Bypass Explained – How Special Characters Led to a Security Glitch

Tauri is an open-source framework that lets you build lightweight, secure desktop apps using web technologies like JavaScript, HTML, and CSS. You can use Tauri to create binaries for Windows, MacOS, and Linux—making it a popular choice for cross-platform desktop app developers.

However, in late 2022, a security vulnerability was discovered in Tauri affecting versions before 1..7 and 1.1.2. This CVE—CVE-2022-41874—let certain types of files escape the intended "filesystem scope." In other words: under special circumstances, apps built with Tauri could access files and folders just outside their intended boundaries!

Let's break down what happened, what made it possible, show a code snippet, point you to references, and explain how to patch or work around the problem.

Affected Versions: Tauri < 1..7, <1.1.2, <1.2.

- CVE Entry: CVE-2022-41874 on NIST
- Official Disclosure: GitHub Advisory GHSA-2q6m-xcxf-434c

What Went Wrong?

Tauri apps use a configuration called fs scope to define which folders and files the app can access. Think of it as a security fence around a folder, so your app can only reach files inside.

drag & drop

– and that file had special characters in its path (for example, spaces, dots, or Unicode), Tauri didn't always handle the file path the right way.

This flaw let an attacker, with some work, slip a malicious file right next to an allowed file. The faulty path parsing could make Tauri think that file was inside the secure "fenced" area—when actually, it wasn't supposed to be.

Example: How Could This Happen?

Let's take a look at an example in plain language, and then show a code snippet.

You build a Tauri app, and set the fs scope to only allow access to C:\myApp\allowedFolder.

2. A user is tricked into using the file picker and selects a file called C:\myApp\allowedFolder..hiddenFile, or a malicious folder cleverly named with special characters.
3. Due to Tauri’s faulty parsing, the path can be wrongly resolved as inside allowedFolder, even though it’s not.

Here's a simplified JavaScript snippet from a Tauri frontend

import { open } from '@tauri-apps/api/dialog';
import { readTextFile } from '@tauri-apps/api/fs';

async function openFile() {
  // User selects a file via file dialog
  const filePath = await open();
  if (!filePath) return;

  // App tries to read the file
  try {
    const text = await readTextFile(filePath);
    console.log('File Contents:', text);
  } catch (error) {
    console.error('Error reading file:', error);
  }
}

When special characters in filenames confuse the resolver, readTextFile() might be able to open something outside the allowed area without you knowing!

Why Is This Dangerous?

- Partial Bypass: Attackers can't reach just any file, but can access files/folders *next to* allowed scope.

Different by OS: What works on Windows may not on Linux or MacOS, because path rules change.

- User Action Needed: The user still needs to pick or drop the malicious file. But attackers can use social engineering, or sneak files onto the user’s machine.
- Risk: Sensitive files just outside your scope folders (backups, configs, source code, etc.) could be read.

The Exploit In a Nutshell

> Attacker creates a file or folder with a sneaky name involving dots, spaces, or Unicode, right next to the folder you allow in fs scope. When your user picks that file using the file dialog or drag & drop, Tauri’s flawed parsing lets it through—even though it shouldn’t.

Real-World Impact

- If you built a Tauri app before late 2022, and let users pick files, you might be exposing more files than you intended.
- Not a remote code execution bug: The attacker can't run code, but can steal data if your app is tricked into accessing files with sensitive info.

Tauri 1.2.

> See Tauri changelog for details.

Until you can update, do this in your tauri.conf.json

{
  // ...
  "tauri": {
    // ...
    "security": {
      "dialog": false,
      "fileDropEnabled": false
    }
  }
}

Official References

- CVE-2022-41874 at NVD
- GitHub Security Advisory
- Tauri Project on GitHub
- Tauri Update Changelog
- npm Advisory

Final Thoughts

CVE-2022-41874 is a great reminder that even with strong security models, tiny bugs in “uncool” code like path parsing can have big consequences. The Tauri team responded fast, but if you’re building cross-platform apps always keep up-to-date and audit your permissions.

If your app lets users select files or drag & drop, make sure you’re running a safe, patched version. Otherwise, attackers could peek over your security fence—one sneaky file at a time.

Timeline

Published on: 11/10/2022 21:15:00 UTC
Last modified on: 11/15/2022 20:17:00 UTC