CVE-2022-46171

CVE-2022-46171 is a medium-severity path traversal vulnerability in tauri (rust), affecting versions >= 1.0.0, < 1.0.8. It is fixed in 1.0.8, 1.1.3, 1.2.3, 2.0.0-alpha.2.

Summary

Workarounds

No workaround is known at the time of publication.

References

The original report contained information that the dialog.open component automatically allows one sub directory to be read, regardless of the recursive option.

Imagine a file system looking like

 o ../
 o documents/
    - file.txt
    - deeper/
       o deep_file.txt

Reproduction steps:

  1. Trying to load “file.txt” or “deep_file.txt” doesn’t work. Expected
  2. Select “documents” as folder to open(ie. with window.TAURI.dialog.open)
  3. Trying to load “file.txt” works. Expected
  4. Trying to load “deep_file.txt” also works, which isn’t expected

The recursive flag is used in https://github.com/tauri-apps/tauri/blob/cd8c074ae6592303d3f6844a4fb6d262eae913b2/core/tauri/src/scope/fs.rs#L154 to scope the filesystem access to either files in the folder or to also include sub directories.

The original issue was replicated and further investigated.

The root cause was triaged to the glob crate facilitating defaults, which allow the * and [...] to also match path literals.

MatchOptions {
    case_sensitive: true,
    require_literal_separator: false,
    require_literal_leading_dot: false
}

This implicated that not only the dialog.open component was affected but rather all fs scopes containing the * or [...] glob.
During this investigation it became obvious that the current glob matches would also match hidden folder (e.g: .ssh) content by default, without explicitly allowing hidden folders to be matched. This is not commonly expected behavior in comparison to for example bash.

The new default Match options are:

MatchOptions {
    case_sensitive: true,
    require_literal_separator: true,
    require_literal_leading_dot: true
}

Another note security relevant for developers building applications interacting with case sensitive filesystems is, that the case_sensitive option only affects ASCII file paths and is not valid in Unicode based paths. This is considered a known risk until the glob crate supports non-ASCII file paths for this type of case sensitive matching.

For more Information

If you have any questions or comments about this advisory:

Open an issue in tauri
Email us at [email protected]

Impact

The filesystem glob pattern wildcards *, ?, and [...] match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths.

Example: The fs scope $HOME/*.key would also allow $HOME/.ssh/secret.key to be read even though it is in a sub directory of $HOME and is inside a hidden folder.

Scopes without the wildcards are not affected. As ** allows for sub directories the behavior there is also as expected.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2022-46171 has a CVSS score of 6.8 (Medium). The vector is reachable from an adjacent network, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.8, 1.1.3, 1.2.3, 2.0.0-alpha.2); upgrading removes the vulnerable code path.

Affected versions

tauri (>= 1.0.0, < 1.0.8) tauri (>= 1.1.0, < 1.1.3) tauri (>= 1.2.0, < 1.2.3) tauri (>= 2.0.0-alpha.0, < 2.0.0-alpha.2)

Security releases

tauri → 1.0.8 (rust) tauri → 1.1.3 (rust) tauri → 1.2.3 (rust) tauri → 2.0.0-alpha.2 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The issue has been patched in the latest release and was backported into the currently supported 1.x branches.

Frequently Asked Questions

  1. What is CVE-2022-46171? CVE-2022-46171 is a medium-severity path traversal vulnerability in tauri (rust), affecting versions >= 1.0.0, < 1.0.8. It is fixed in 1.0.8, 1.1.3, 1.2.3, 2.0.0-alpha.2. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2022-46171? CVE-2022-46171 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of tauri are affected by CVE-2022-46171? tauri (rust) versions >= 1.0.0, < 1.0.8 is affected.
  4. Is there a fix for CVE-2022-46171? Yes. CVE-2022-46171 is fixed in 1.0.8, 1.1.3, 1.2.3, 2.0.0-alpha.2. Upgrade to this version or later.
  5. Is CVE-2022-46171 exploitable, and should I be worried? Whether CVE-2022-46171 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2022-46171 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2022-46171?
    • Upgrade tauri to 1.0.8 or later
    • Upgrade tauri to 1.1.3 or later
    • Upgrade tauri to 1.2.3 or later
    • Upgrade tauri to 2.0.0-alpha.2 or later

Other vulnerabilities in tauri

CVE-2024-35222CVE-2023-34460CVE-2023-31134CVE-2022-46171CVE-2022-41874

Stop the waste.
Protect your environment with Kodem.