Malicious projects can read and upload arbitrary files from disk in TurboWarp Desktop
Description
TurboWarp is a desktop application that compiles scratch projects to JavaScript. TurboWarp Desktop versions prior to version 1.8.0 allowed a malicious project or custom extension to read arbitrary files from disk and upload them to a remote server. The only required user interaction is opening the sb3 file or loading the extension. The web version of TurboWarp is not affected. This bug has been addressed in commit 55e07e99b59 after an initial fix which was reverted. Users are advised to upgrade to version 1.8.0 or later. Users unable to upgrade should avoid opening sb3 files or loading extensions from untrusted sources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <1.8.0
- TurboWarp/desktopv5Range: < 1.8.0
Patches
Vulnerability mechanics
Root cause
"The application failed to properly enforce Cross-Origin Resource Sharing (CORS) policies for file:// URIs when fetching external resources."
Attack vector
An attacker can craft a malicious Scratch project (`.sb3` file) or a custom extension. When a user opens this project or loads the extension within the affected TurboWarp Desktop application, the project can initiate requests to arbitrary local files or remote servers. This bypasses standard web security restrictions, allowing the malicious content to read and upload sensitive data from the user's disk to a location controlled by the attacker. The only user interaction required is opening the project file or loading the extension [ref_id=1].
Affected code
The vulnerability lies within the web request handling logic in the Electron application, specifically in how it manages CORS policies for requests originating from file:// URIs. The changes in `desktop-settings.js` and `main.js` address this by introducing a bypass CORS feature and modifying the `onHeadersReceived` and `onBeforeRequest` event handlers to enforce these policies more strictly [ref_id=1].
What the fix does
The patch introduces a new setting and logic to control CORS bypass for extensions. Specifically, it adds a `bypass_cors` setting and associated IPC handlers to manage its state [ref_id=1]. The `session.webRequest.onHeadersReceived` handler is modified to check this bypass setting. If CORS bypass is enabled, it allows requests from file:// URIs to any origin; otherwise, it enforces stricter CORS checks, preventing unauthorized access to external resources [ref_id=1].
Preconditions
- inputUser must open a malicious .sb3 project file or load a malicious custom extension.
- configThe TurboWarp Desktop application must be running and the 'bypass CORS' setting must be enabled for the most severe impact, although the vulnerability exists even when this setting is disabled due to insufficient enforcement.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/TurboWarp/desktop/commit/55e07e99b59db334d75e8f46792a1569ab0884a6mitrex_refsource_MISC
- github.com/TurboWarp/desktop/commit/a62dbd7a28b41857e3b6f32443fda0527d493267mitrex_refsource_MISC
- github.com/TurboWarp/desktop/commit/f0f82aaf6cc8170e9da8b36953c98bfe533c019fmitrex_refsource_MISC
- github.com/TurboWarp/desktop/security/advisories/GHSA-wg4p-vj7h-q82qmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.