CVE-2025-31477
published 2025-04-02CVE-2025-31477: The Tauri shell plugin allows access to the system shell. Prior to 2.2.1, the Tauri shell plugin exposes functionality to execute code and open programs on the…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.89%
54.7th percentile
The Tauri shell plugin allows access to the system shell. Prior to 2.2.1, the Tauri shell plugin exposes functionality to execute code and open programs on the system. The open endpoint of this plugin is designed to allow open functionality with the system opener (e.g. xdg-open on Linux). This was meant to be restricted to a reasonable number of protocols like https or mailto by default. This default restriction was not functional due to improper validation of the allowed protocols, allowing for potentially dangerous protocols like file://, smb://, or nfs:// and others to be opened by the system registered protocol handler. By passing untrusted user input to the open endpoint these potentially dangerous protocols can be abused to gain remote code execution on the system. This either requires direct exposure of the endpoint to application users or code execution in the frontend of a Tauri application. This vulnerability is fixed in 2.2.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tauri-apps | plugin-shell | >= 0 < 2.2.1 | 2.2.1 |
| tauri-apps | plugins-workspace | < 2.2.1 | 2.2.1 |
| tauri | plugin-shell | < 2.2.1 | 2.2.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`
ghsa·2025-04-02
CVE-2025-31477 [CRITICAL] CWE-20 Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`
Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`
### Impact
The Tauri [`shell`](https://tauri.app/plugin/shell/) plugin exposes functionality to execute code and open programs on the system. The [`open`](https://tauri.app/reference/javascript/shell/#open) endpoint of this plugin is designed to allow open functionality with the system opener (e.g.
`xdg-open` on Linux). This was meant to be restricted to a reasonable number of protocols like `https` or `mailto` by default.
This default restriction was not functional due to improper validation of the allowed protocols, allowing for potentially dangerous protocols like `file://`, `smb://`, or `nfs://` and others to be opened by the system registered protocol handler.
By passing untrusted user input to the `open` end
OSV
Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`
osv·2025-04-02
CVE-2025-31477 [CRITICAL] Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`
Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`
### Impact
The Tauri [`shell`](https://tauri.app/plugin/shell/) plugin exposes functionality to execute code and open programs on the system. The [`open`](https://tauri.app/reference/javascript/shell/#open) endpoint of this plugin is designed to allow open functionality with the system opener (e.g.
`xdg-open` on Linux). This was meant to be restricted to a reasonable number of protocols like `https` or `mailto` by default.
This default restriction was not functional due to improper validation of the allowed protocols, allowing for potentially dangerous protocols like `file://`, `smb://`, or `nfs://` and others to be opened by the system registered protocol handler.
By passing untrusted user input to the `open` end
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-02
Published