Tauri Origin Confusion Vulnerability in Custom URI Scheme Handling on Windows and Android

A vulnerability exists in Tauri versions 2.0 through 2.11.0, where the 'is_local_url()' function incorrectly identifies remote URLs as trusted local origins on Windows and Android. This misclassification allows remote pages to invoke local-only inter-process communication (IPC) commands. The issue arises because Tauri's origin check only evaluates the first subdomain, enabling attackers to exploit custom URI schemes by hosting pages on matching subdomains. The vulnerability is patched in Tauri version 2.11.1.

Impact

Exploitation allows remote pages to execute backend commands intended for the app's frontend, bypassing restrictions on external origins.

Reproduction

To reproduce this vulnerability, create a Tauri application that registers a custom URI scheme. The application should expose a command restricted to local origins. Then, host a page on a domain with a subdomain that matches the registered scheme. When the page is loaded in a WebView, it can invoke the restricted command, demonstrating the origin confusion flaw.

Remediation

Users can update to Tauri version 2.11.1 or later to address this vulnerability.