Login Sign Up

CVE-2023-40168

7.4 HIGH

📋 TL;DR

This vulnerability in TurboWarp Desktop allows malicious Scratch projects or custom extensions to read arbitrary files from the user's disk and upload them to remote servers without user consent. Only the desktop application versions before 1.8.0 are affected, not the web version. Users who open untrusted sb3 files or load untrusted extensions are at risk.

💻 Affected Systems

Products:
  • TurboWarp Desktop
Versions: All versions prior to 1.8.0
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the desktop application; web version is not vulnerable. Vulnerability requires user to open malicious sb3 file or load malicious extension.

📦 What is this software?

Turbowarp Desktop by Turbowarp

View all CVEs affecting Turbowarp Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive files including passwords, private keys, documents, and personal data being exfiltrated to attacker-controlled servers.

🟠

Likely Case

Theft of user files from the compromised system, potentially including sensitive documents, configuration files, or other accessible data.

🟢

If Mitigated

No impact if users only open trusted projects and extensions, or if the vulnerability is patched.

🌐 Internet-Facing: LOW - The desktop application itself is not typically internet-facing, though malicious content could be delivered via internet.
🏢 Internal Only: HIGH - The vulnerability allows local file access and exfiltration, making internal systems vulnerable to data theft.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (opening malicious file) but no authentication. The vulnerability is in file system access controls within the application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.0 and later

Vendor Advisory: https://github.com/TurboWarp/desktop/security/advisories/GHSA-wg4p-vj7h-q82q

Restart Required: Yes

Instructions:

1. Download TurboWarp Desktop version 1.8.0 or later from official sources. 2. Install the update. 3. Restart the application.

🔧 Temporary Workarounds

Restrict file access

all

Run TurboWarp in a sandboxed environment or with restricted file system permissions

🧯 If You Can't Patch

  • Avoid opening sb3 files or loading extensions from untrusted sources
  • Use the web version of TurboWarp instead of the desktop application

🔍 How to Verify

Check if Vulnerable:

Check TurboWarp Desktop version in application settings or About dialog

Check Version:

Check application version in Help > About or Settings

Verify Fix Applied:

Verify version is 1.8.0 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns from TurboWarp process
  • Network connections to unknown servers after opening sb3 files

Network Indicators:

  • Outbound connections to suspicious domains/IPs after file operations
  • Unexpected file upload traffic

SIEM Query:

Process:TurboWarp AND (FileAccess:* OR NetworkConnection:*)

📊 Metadata

CVE ID: CVE-2023-40168
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CWE: CWE-863
Published: August 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40168, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)