Tauri is a popular open-source framework for building secure, cross-platform desktop apps using web technologies — like JavaScript, HTML, and CSS. But recently, a security vulnerability was discovered that could let malicious websites *inside an iframe* take over sensitive functions of your Tauri app. This issue is tracked as CVE-2024-35222.

This post explains the flaw in simple terms, shows what was happening, and includes code snippets and links to dig deeper. If you’re building or running Tauri apps, *this is essential reading*.

What is CVE-2024-35222?

Tauri lets developers use web content to create native desktop apps, but with power comes responsibility—including the IPC (Inter-Process Communication) endpoints. These allow the JavaScript frontend to talk to the native backend, running commands like:

openFile, etc.

Restrictions should exist so that *only trusted* code can call these powerful commands. However, in Tauri before v1.6.7 and v2..-beta.19, the following happened:

- Tauri rendered a web page, which could include <iframe src="https://evil-site.com">;.
- Content loaded from a remote origin into an iframe could access IPC commands *without* explicitly being authorized via the dangerousRemoteDomainIpcAccess (v1) or capabilities (v2) settings.

> In plain English: *A website loaded into an iframe could run privileged commands — like deleting files — in your app, without the app developer realizing it was even allowed!*

A Realistic Exploit Scenario

Imagine a Tauri app for managing projects. The developer includes a third-party widget as an iframe. Without knowing, that iframe can now “talk” to the Tauri backend with the app’s full privileges.

Iframe Loads Malicious Content

`html

https://bad.site/example.html</a>">

`javascript

// This runs inside the malicious iframe

`javascript

// Steals user credits via native IPC

Why Was This Possible?

- Lack of Origin Isolation: Tauri did not properly restrict which origins (websites) could use IPC endpoints, at least for iframes.
- Settings Ignored: Even if you used dangerousRemoteDomainIpcAccess or the newer capabilities restrictions, they didn't *always* apply to iframes with remote origins as expected.

In Tauri v1

"tauri": {
  "security": {
    // Not enforced as expected for remote iframes
    "dangerousRemoteDomainIpcAccess": [ "https://trusted.com"; ]
  }
}

In Tauri v2

"capabilities": {
  // Not enforced for remote iframes
  "allowlist": { "some_command": true }
}

How Tauri Fixed It

Patched Versions:

2..-beta.19

What Changed:
Now, Tauri properly enforces the intended restrictions:

Review iframe Usage

Don’t use <iframe src="https://untrusted.com">; or any domains you don’t control!

Check Settings

- Use dangerousRemoteDomainIpcAccess/capabilities with *extreme* caution.

Official Advisory:

Tauri GHSA-7c97-34h8-cxh5

Tauri Docs Security Guide:

https://tauri.app/v1/guides/security/

Final Words

Building secure desktop apps with Tauri is possible and powerful, but browser security is complex! CVE-2024-35222 is a serious reminder to keep dependencies up-to-date and to never let untrusted code run with native privileges — not even in an innocent-looking iframe.

If you manage a Tauri app, update now and audit your security settings. Don't be an easy target for iframe hijackers!


*Thanks for reading — hope this keeps your apps and your users safe!*

Timeline

Published on: 05/23/2024 14:15:09 UTC
Last modified on: 06/04/2024 17:34:02 UTC