CVE-2023-46115
📋 TL;DR
This CVE describes a misconfiguration in Tauri applications using Vite that can leak private signing keys and passwords into bundled frontend code. Attackers who obtain these keys could sign malicious updates that would be accepted by affected applications. Only Tauri applications using Vite with the insecure envPrefix configuration are affected.
💻 Affected Systems
- Tauri framework applications
📦 What is this software?
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
Tauri by Tauri
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain private keys and passwords, allowing them to sign malicious application updates that would be automatically accepted by all deployed instances, potentially leading to complete system compromise.
Likely Case
Private signing keys and passwords are exposed in application bundles, enabling attackers to create malicious signed updates that could deploy malware or steal data.
If Mitigated
With proper configuration, private keys remain secure and only legitimate updates signed with valid keys are accepted.
🎯 Exploit Status
Exploitation requires extracting keys from bundled application code, which is straightforward once the vulnerable configuration is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Configuration fix only - no specific Tauri version required
Vendor Advisory: https://github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259
Restart Required: No
Instructions:
1. Update vite.config.ts to use envPrefix: ['VITE_'] only. 2. Rotate affected private keys using Tauri CLI >=1.5.5 with 'tauri signer generate'. 3. Update tauri.conf.json with new public key. 4. Sign next build with old key for existing app compatibility.
🔧 Temporary Workarounds
Immediate configuration fix
allChange Vite configuration to exclude TAURI_ prefix from environment variable bundling
Edit vite.config.ts and change envPrefix: ['VITE_', 'TAURI_'] to envPrefix: ['VITE_']
🧯 If You Can't Patch
- Isolate affected applications from internet access
- Monitor for unauthorized update attempts and application behavior changes
🔍 How to Verify
Check if Vulnerable:
Check vite.config.ts for envPrefix: ['VITE_', 'TAURI_'] configurationCheck Version:
tauri --versionVerify Fix Applied:
Verify vite.config.ts uses envPrefix: ['VITE_'] only and inspect bundled application for TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD values📡 Detection & Monitoring
Log Indicators:
- Failed update signature verification
- Unexpected update requests
Network Indicators:
- Update requests from unauthorized sources
- Unusual network traffic from Tauri applications
SIEM Query:
Search for TAURI_PRIVATE_KEY or TAURI_KEY_PASSWORD strings in application files or memory dumps