VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 23, 2023· Updated Nov 7, 2024

Tauri vulnerable to Regression on Filesystem Scope Checks for Dotfiles

CVE-2023-34460

Description

Tauri is a framework for building binaries for all major desktop platforms. The 1.4.0 release includes a regression on the Filesystem scope check for dotfiles on Unix. Previously dotfiles were not implicitly allowed by the glob wildcard scopes (eg. $HOME/*), but a regression was introduced when a configuration option for this behavior was implemented. Only Tauri applications using wildcard scopes in the fs endpoint are affected. The regression has been patched on version 1.4.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Tauri 1.4.0 regressed filesystem scope check, allowing wildcards to implicitly match dotfiles on Unix, bypassing hidden file protections.

Vulnerability

Overview

CVE-2023-34460 is a regression introduced in Tauri 1.4.0 affecting the filesystem scope check for dotfiles on Unix platforms. The root cause is a flipped boolean in the implementation of the require_literal_leading_dot configuration option, which controls whether wildcard patterns like $HOME/* should implicitly match files and directories starting with a dot. Prior to 1.4.0, dotfiles were not implicitly allowed by such wildcard scopes; the regression inadvertently changed this behavior, making dotfiles accessible contrary to the intended security model [1][2][4].

Exploitation

The vulnerability only affects Tauri applications that use wildcard scopes (e.g., $HOME/*) in their fs endpoint configuration. An attacker with local access or the ability to trick a user into performing file operations could exploit the incorrect scope to read or write dotfiles (such as .ssh/authorized_keys, .bashrc, or configuration files) that should have been excluded by the default glob matching behavior. No authentication is required beyond what the Tauri application normally allows [1][2][3].

Impact

Successful exploitation enables an attacker to read sensitive hidden files that were intended to be protected by the scope restriction, potentially leading to credential theft, privilege escalation, or further system compromise. The impact is limited to file operations within the scope of the wildcard path, but may expose sensitive personal or system configuration data [1][2][4].

Mitigation

The regression was patched in Tauri version 1.4.1, which corrects the require_literal_leading_dot default back to true on Unix systems, restoring the intended behavior. Users should update their Tauri framework to 1.4.1 or later. No workaround is available for applications using wildcard scopes; reverting to a prior unaffected version or pinning to version 1.4.0 is not recommended without applying the patch [1][4].

References
  1. fix(core): fix `require_literal_leading_dot` flipped behavior by amrbashir · Pull Request #7227 · tauri-apps/tauri
  2. NVD - CVE-2023-34460
  3. feat(core): add option for `require_literal_leading_dot`, closes #6158 by amrbashir · Pull Request #6969 · tauri-apps/tauri
  4. fix(core): fix `require_literal_leading_dot` flipped behavior (#7227) · tauri-apps/tauri@066c09a

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tauricrates.io
>= 1.4.0, < 1.4.11.4.1

Affected products

2
  • ghsa-coords
    pkg:cargo/tauri
    Range: >= 1.4.0, < 1.4.1
  • tauri-apps/tauriv5
    Range: = 1.4.0

Patches

1
066c09a6ea06

fix(core): fix `require_literal_leading_dot` flipped behavior (#7227)

https://github.com/tauri-apps/tauriAmr BashirJun 17, 2023via ghsa
commit
6 files changed · +13 7
  • .changes/config.json+1 0 modified
    @@ -7,6 +7,7 @@
     "bug": "Bug Fixes",
     "pref": "Performance Improvements",
     "changes": "What's Changed",
+    "sec": "Security fixes",
     "deps": "Dependencies"
   },
   "defaultChangeTag": "changes",
  • .changes/core-leading-dot.md+5 0 added
    @@ -0,0 +1,5 @@
+---
+'tauri': 'patch:sec'
+---
+
+Fix regression in `1.4` where the default behavior of the file system scope was changed to allow reading hidden files and directories by default.
  • core/tauri-config-schema/schema.json+1 1 modified
    @@ -2102,7 +2102,7 @@
               }
             },
             "requireLiteralLeadingDot": {
-              "description": "Whether or not paths that contain components that start with a `.` will require that `.` appears literally in the pattern; `*`, `?`, `**`, or `[...]` will not match. This is useful because such files are conventionally considered hidden on Unix systems and it might be desirable to skip them when listing files.\n\nDefaults to `false` on Unix systems and `true` on Windows",
+              "description": "Whether or not paths that contain components that start with a `.` will require that `.` appears literally in the pattern; `*`, `?`, `**`, or `[...]` will not match. This is useful because such files are conventionally considered hidden on Unix systems and it might be desirable to skip them when listing files.\n\nDefaults to `true` on Unix systems and `false` on Windows",
               "type": [
                 "boolean",
                 "null"
  • core/tauri/src/scope/fs.rs+4 4 modified
    @@ -114,9 +114,9 @@ impl Scope {
       } => *require,
       // dotfiles are not supposed to be exposed by default on unix
       #[cfg(unix)]
-      _ => false,
-      #[cfg(windows)]
       _ => true,
+      #[cfg(windows)]
+      _ => false,
     };
 
     Ok(Self {
@@ -287,9 +287,9 @@ mod tests {
         require_literal_separator: true,
         // dotfiles are not supposed to be exposed by default on unix
         #[cfg(unix)]
-        require_literal_leading_dot: false,
-        #[cfg(windows)]
         require_literal_leading_dot: true,
+        #[cfg(windows)]
+        require_literal_leading_dot: false,
         ..Default::default()
       },
     }
  • core/tauri-utils/src/config.rs+1 1 modified
    @@ -1329,7 +1329,7 @@ pub enum FsAllowlistScope {
     /// conventionally considered hidden on Unix systems and it might be
     /// desirable to skip them when listing files.
     ///
-    /// Defaults to `false` on Unix systems and `true` on Windows
+    /// Defaults to `true` on Unix systems and `false` on Windows
     // dotfiles are not supposed to be exposed by default on unix
     #[serde(alias = "require-literal-leading-dot")]
     require_literal_leading_dot: Option<bool>,
  • tooling/cli/schema.json+1 1 modified
    @@ -2102,7 +2102,7 @@
               }
             },
             "requireLiteralLeadingDot": {
-              "description": "Whether or not paths that contain components that start with a `.` will require that `.` appears literally in the pattern; `*`, `?`, `**`, or `[...]` will not match. This is useful because such files are conventionally considered hidden on Unix systems and it might be desirable to skip them when listing files.\n\nDefaults to `false` on Unix systems and `true` on Windows",
+              "description": "Whether or not paths that contain components that start with a `.` will require that `.` appears literally in the pattern; `*`, `?`, `**`, or `[...]` will not match. This is useful because such files are conventionally considered hidden on Unix systems and it might be desirable to skip them when listing files.\n\nDefaults to `true` on Unix systems and `false` on Windows",
               "type": [
                 "boolean",
                 "null"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.