Recent Rust Security Advisory: CVE-2024-24576

April 10, 2024

The Rust Security Response WG announced CVE-2024-24576, which affects the Rust Standard Library on Windows.

TL;DR: Upgrade your Rust version to 1.77.2.

How Does it Affect Tauri as a Library?

Some Tauri organization repositories use batch files (cmd.exe under the hood) for developer environment tooling such as build scripts. No reviewed repositories use batch files for runtime code.

We don’t see additional risks for the Tauri project based on this CVE.

Is My Tauri App Affected?

In general you are possibly affected if you fulfil all of the below criteria:

  • You ship your app on Windows
  • Your project enables the Tauri v1 shell feature with "execute": true or the v2 shell-plugin with allow-execute permission
  • You allow arguments in the scope element of the shell feature
  • You pass untrusted input to cmd.exe or .bat/.cmd files and improperly validate the scope (🚩)

If any of these criteria are not fulfilled in your application you are likely NOT affected.

If you implement custom commands or logic written in your application that directly exposes the Rust Command with arguments provided at runtime, you may be affected. While not Tauri specific, this pattern could affect any Rust project.

Conclusion

Please upgrade your Rust version to 1.77.2 as soon as possible and distribute updates to your users.


Read more about this security advisory here. This affects many programming languages, this specific CVE is just the one filed for Rust.

Tillmann Weidinger
Tillmann Weidinger Director of Security
Chip Reed
Chip Reed Security Engineer