The Rust Security Response WG announced CVE-2024-24576
, which affects the Rust Standard Library on Windows.
TL;DR: Upgrade your Rust version to
1.77.2
.
How Does it Affect Tauri as a Library?
Some Tauri organization repositories use batch files (cmd.exe
under the hood) for developer environment tooling such as build scripts. No reviewed repositories use batch files for runtime code.
We don’t see additional risks for the Tauri project based on this CVE.
Is My Tauri App Affected?
In general, you are possibly affected if you fulfill all of the below criteria:
You ship your app on Windows
Your project enables the Tauri v1
shell
feature with"execute": true
or the v2shell-plugin
withallow-execute
permissionYou allow arguments in the
scope
element of theshell
featureYou pass untrusted input to
cmd.exe
or.bat
/.cmd
files and improperly validate the scope (🚩)
If any of these criteria are not fulfilled in your application you are likely NOT affected.
If you implement custom commands or logic written in your application that directly exposes the Rust Command
with arguments provided at runtime, you may be affected. While not Tauri specific, this pattern could affect any Rust project.
Conclusion
Please upgrade your Rust version to 1.77.2
as soon as possible and distribute updates to your users.
Read more about this security advisory here. This affects many programming languages, this specific CVE is just the one filed for Rust.
Authors:
Tillmann Weidinger, Director of Security atCrabNebula
Chip Reed, Security Engineer atCrabNebula