CVE-2024-35222

Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the dangerousRemoteDomainIpcAccess in v1 and in the capabilities in v2. Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19.

Published: May 23, 2024
Updated: May 4, 2025
CVE: CVE-2024-35222
GHSA: GHSA-57fm-592m-34r7
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
tauri	-	1.6.7
tauri	2.0.0-beta.0	2.0.0-beta.20

https://github.com/tauri-apps/tauri/commit/d950ac1239817d17324c035e5c4769ee71fc197d
https://github.com/tauri-apps/tauri/commit/f6d81dfe0871e0ccd012e5190d41e3767e733608
https://github.com/tauri-apps/tauri/issues/8316
https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7

Vulnerability Database

289,689

CVE-2024-35222