Rust Security Advisory CVE-2024-24576
The Rust Security Response WG announced CVE-2024-24576, which affects the Rust Standard Library on Windows.
TL;DR: Upgrade your Rust version to
1.77.2.
How Does it Affect Tauri as a Library?
Some Tauri organization repositories use batch files (cmd.exe under the hood) for developer environment tooling such as build scripts.
No reviewed repositories use batch files for runtime code.
We don’t see additional risks for the Tauri project based on this CVE.
Nevertheless, we will update our CI systems to use the latest Rust version.
Is My Tauri App Affected?
In general you are possibly affected if you fulfil all of the below criteria:
- You ship your app on Windows
- Your project enables the Tauri v1 shellfeature with"execute": trueor the v2shell-pluginwithallow-executepermission
- You allow arguments in the scopeelement of theshellfeature
- You pass untrusted input to cmd.exeor.bat/.cmdfiles and improperly validate the scope (🚩)
If any of these criteria are not fulfilled in your application you are likely NOT affected.
If you implement custom commands or logic written in your application that directly exposes the Rust Command with arguments provided at runtime, you may be affected.
While not Tauri specific, this pattern could affect any Rust project.
Conclusion
Please upgrade your Rust version to 1.77.2
as soon as possible and distribute updates to your users.
This investigation and writeup was performed in cooperation with our partner CrabNebula ❤️.
Read more about this security advisory here. This affects many programming languages, this specific CVE is just the one filed for Rust.
© 2024 Tauri Contributors. CC-BY / MIT

