Update Rust crate tauri to v2.11.1 [SECURITY]#11
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.2.2→2.11.1Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands
CVE-2026-42184 / GHSA-7gmj-67g7-phm9
More information
Details
Summary
A flaw in Tauri's
is_local_url()function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols tohttp://<scheme>.localhost/because those platforms' WebView implementations cannot serve custom URI schemes directly.The issue is that Tauri's check to see if the origin is local, only checks the first subdomain of the URL. An attacker can abuse this by hosting a page on a domain whose subdomain matches the custom scheme of the application (e.g. http://app.attacker.com/)."
Example:
app://localhost/→ on Android/Windows:http://app.localhost/http://app., includinghttp://app.evil.com/As a result, the attacker page can invoke backend commands that the developer intended to be accessible only to the app's own frontend and that are explicitly restricted from being called by external or remote origins.
Details
Vulnerable function:
Link: https://github.com/tauri-apps/tauri/blob/1ef6a119b1571d1da0acc08bdb7fd5521a4c6d52/crates/tauri/src/webview/mod.rs#L1680
split_once('.')discards everything after the first.. For http://app.evil.com/, the extracted label is app. If the application has registered a protocol named app,protocols.contains_key("app")returnstrueand the URL is classified asOrigin::Local. The correct check must assert the full domain is exactly<protocol>.localhost.PoC
We created a proof of concept app that can be found here. The app registers a custom app:// protocol and exposes a ping command restricted to local origins only. It provides a button to open a URL in a WebView, pre-filled with https://app.robbe-bc9.workers.dev/, an attacker-controlled page that invokes ping on load. Because the domain's first label matches the registered app protocol, is_local_url() classifies it as a local origin and the command succeeds.
capabilities/main.jsoncontains the following code, which only exposespinglocally:{ "$schema": "../../../crates/tauri-schema-generator/schemas/capability.schema.json", "identifier": "main", "local": true, "windows": ["*"], "permissions": [ "sample:allow-ping" ] }src/lib.rscontains the following code, to register a custom scheme:Impact
The attacker page can invoke backend commands that the developer intended to be accessible only to the app's own frontend and that are explicitly restricted from being called by external or remote origins.
Severity
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
tauri-apps/tauri (tauri)
v2.11.1: @tauri-apps/cli v2.11.1Compare Source
[2.11.1]
Dependencies
tauri-cli@2.11.1v2.11.0: @tauri-apps/cli v2.11.0Compare Source
[2.11.0]
New Features
926a57bb0(#15201) Added uninstaller icon and uninstaller header image support for NSIS installer.Notes:
tauri-bundlerlib users, theNsisSettingsnow has 2 new fieldsuninstaller_iconanduninstaller_header_imagewhich can be a breaking changeuninstallerIconanduninstallerHeaderImageunderbundle > windows > nsisto configure them.764b9139a(#14313) Prompt to restart the Android emulator if it is not connected to adb.5dc2cee60(#14793) Added support forminimumWebview2Versionoption support for the MSI (Wix) installer, the oldbundle > windows > nsis > minimumWebview2Versionis now deprecated in favor ofbundle > windows > minimumWebview2VersionNotes:
WVRTINSTALLEDPropertytag inmain.wxs, it is now renamed toINSTALLED_WEBVIEW2_VERSIONtauri-bundlerlib users, theWindowsSettingsnow has a new fieldminimum_webview2_versionwhich can be a breaking changeEnhancements
be0e4bd2d(#15218) Added Vietnamese translations for the NSIS installer8718d0816(#15033) Show the context before prompting for updater signing key passwordBug Fixes
fcb702ec4(#14954) Fixbuild --bundlesto allownsisarg in linux+macOS80c1425af(#14921) Fix iOS build failure whenMetal Toolchainis installed by using explicit$(DEVELOPER_DIR)/Toolchains/XcodeDefault.xctoolchainpath instead of$(TOOLCHAIN_DIR)for Swift library search paths.What's Changed
9979cde1c(#15175) Update NSIS installer Italian translationsDependencies
tauri-cli@2.11.0v2.10.3: tauri v2.10.3Compare Source
Cargo Audit
[2.10.3]
Dependencies
tauri-utils@2.8.3tauri-runtime@2.10.1tauri-runtime-wry@2.10.1tauri-macros@2.5.5tauri-build@2.5.6Cargo Publish