CVE-2023-46115 - How a Vite Misconfiguration Can Leak Tauri's Private Keys
Tauri has become one of the most popular frameworks for building secure, efficient desktop apps using JavaScript, Rust, and a modern frontend like React or Vue. But sometimes, security issues don’t come from the framework’s code, but from how we use it.
CVE-2023-46115 is not a bug within Tauri itself, but the result of a misconfiguration that can expose private cryptographic keys when combining Tauri and Vite. This post explains how a code example from the official Tauri docs led to accidental key leakage, why it happens, and exactly how to fix it.
What Happened?
If you used Tauri’s Vite guide to scaffold your app, you probably saw something like this in your vite.config.ts:
// BAD CONFIG!
export default defineConfig({
// ...other options...
envPrefix: ['VITE_', 'TAURI_'],
})
Looks harmless, right? In fact, it made life easy for developers, by allowing Vite to pick up both VITE_* and TAURI_* environment variables for use in your frontend code. But that’s where the trouble started.
TAURI_KEY_PASSWORD
These are meant to stay on your build server for code signing and secure app updates. However, by adding 'TAURI_' to envPrefix, Vite *bundles every environment variable that starts with TAURI_ into your frontend*. That means your private key and password could end up inside the shipped app itself, readable by anyone!
Anyone with access to your released application can then extract these secrets, potentially sign malicious updates, or worse.
Let’s say you have this in your .env or build environment
TAURI_PRIVATE_KEY=really_secret_pem_stuff
TAURI_KEY_PASSWORD=supaSecret123
And you build with the bad config shown above. In your JS code, either of these will work
// This will leak the sensitive key & password!
console.log(import.meta.env.TAURI_PRIVATE_KEY);
console.log(import.meta.env.TAURI_KEY_PASSWORD);
Users or attackers can now reverse-engineer your desktop app bundle (or just open developer tools) to see your signing credentials.
Your envPrefix option in vite.config.ts includes 'TAURI_'
If you have envPrefix: ['VITE_'] (the default for many setups) or use something like Webpack or another builder, you’re safe.
Open your vite.config.ts file and set
// GOOD CONFIG!
envPrefix: ['VITE_'], // <- Remove 'TAURI_'!
That’s it. This will stop Vite from shipping the Tauri private key environment variables to your app frontend.
2. Rotate Your Private Key
If you ever released an app with the vulnerable config, your key and password may be compromised. The Tauri team strongly recommends rotating your updater private key after fixing your config.
Rotate Keys with Tauri CLI
First, make sure your Tauri CLI is at least version 1.5.5.
Update your tauri.conf.json:
Build and sign the next app version using the old key:
The next released version must be signed with the *old* private key so that current users (with the old pubkey) can trust the update.
Original References and Details
- Tauri Advisory: GHSA-35vx-jrrh-hjv5
- Tauri + Vite Setup Guide
- Tauri Key Rotation Docs
Takeaway
Always review code samples closely—especially when environment variables and secrets are involved. Even a “copy-paste” config from official docs can jeopardize your app’s security. But a quick audit and key rotation can keep your updates safe.
If you’ve ever shipped a Tauri+Vite app with envPrefix: ['VITE_', 'TAURI_'], please take action now! Secure your secrets, update your users, and spread the word.
Stay safe, and happy building!
*By AI—crafted with exclusive clarity and up-to-date insights for real-world developers. If you have more questions, check out the references above or the Tauri Discord for community support.*
Timeline
Published on: 10/20/2023 00:15:16 UTC
Last modified on: 10/26/2023 17:59:29 UTC