CVE-2023-46115: Tauri Framework Misconfiguration Leading to Private Key Leakage in Vite Frontend

Tauri is a popular framework for building desktop applications compatible with all major platforms. Recently, a commonly used misconfiguration has been discovered that could lead to private key and updater key password leaks when using the Vite frontend in a specific configuration. This post aims to discuss the issue, demonstrate the affected code snippet, and provide guidance on mitigating the vulnerability.

It is important to note that the issue lies not within the Tauri code base but in the way Tauri is being used with Vite, as documented in the Vite guide. This post discusses this misconfiguration, how to identify if your application is affected, and steps to rectify the issue if required.

In the Tauri Vite guide, a code snippet is provided as an example for configuring Tauri with Vite

envPrefix: ['VITE_', 'TAURI_'],

When this code snippet is copied into the vite.config.ts file of a Tauri project, it results in bundling the TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD into the Vite frontend code. Consequently, this data is leaked to the bundled Tauri application. However, this vulnerability does not affect those using a different configuration or another framework other than Vite.

Assessing Your Application

To determine whether your application is affected by this security advisory, check your Vite configuration in the vite.config.ts file. If the envPrefix value includes 'TAURI_', like the example above, your application is at risk.

Mitigation Steps

To resolve this issue and protect your Tauri application from potential key leaks, follow these steps:

Update the envPrefix in the vite.config.ts file to only include 'VITE_'

envPrefix: ['VITE_'],

c. Update the updater's pubkey value in tauri.conf.json with the newly generated public key.

3. For your next application build, sign it with the older private key to ensure compatibility with the existing application.

Conclusion and References

This post has outlined the CVE-2023-46115 issue related to the misconfigured use of Tauri with Vite, leading to potential private key leaks. By following the mitigation steps provided, you can safeguard your Tauri application and prevent unauthorized access to sensitive data.

For further details on this vulnerability and Tauri, please refer to the following resources

- Tauri Official Documentation
- Vite Official Documentation

Stay informed about security advisories and best practices to protect your application and its users.

Timeline

Published on: 10/20/2023 00:15:16 UTC
Last modified on: 10/26/2023 17:59:29 UTC