{"id":"CVE-2022-39215","summary":"The readDir Endpoint Scope can be Bypassed With Symbolic Links in Tauri","details":"Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.","aliases":["GHSA-28m8-9j7v-x499","RUSTSEC-2022-0088"],"modified":"2026-04-10T04:51:12.634262Z","published":"2022-09-15T21:35:11Z","database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39215.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/tauri-apps/tauri/pull/5123/commits/1f9b9e8d26a2c915390323e161020bcb36d44678"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39215.json"},{"type":"ADVISORY","url":"https://github.com/tauri-apps/tauri/security/advisories/GHSA-28m8-9j7v-x499"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39215"},{"type":"REPORT","url":"https://github.com/tauri-apps/tauri/issues/4882"},{"type":"FIX","url":"https://github.com/tauri-apps/tauri/pull/5123"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tauri-apps/tauri","events":[{"introduced":"0"},{"fixed":"e7af22c9d9618c21a6d4990c25b599527dbeaf33"}]}],"versions":["0.5.2-binaries","api-v1.0","api-v1.0.0","api-v1.0.0-beta-rc.0","api-v1.0.0-beta-rc.1","api-v1.0.0-rc.1","api-v1.0.0-rc.2","api-v1.0.0-rc.3","api-v1.0.0-rc.4","api-v1.0.0-rc.5","api-v1.0.0-rc.6","api-v1.0.0-rc.7","api-v1.0.1","api-v1.0.2","cli.js-v1","cli.js-v1.0","cli.js-v1.0.0","cli.js-v1.0.0-beta-rc.0","cli.js-v1.0.0-beta-rc.1","cli.js-v1.0.0-beta-rc.2","cli.js-v1.0.0-beta-rc.3","cli.js-v1.0.0-beta-rc.4","cli.js-v1.0.0-beta.0","cli.js-v1.0.0-beta.1","cli.js-v1.0.0-beta.10","cli.js-v1.0.0-beta.2","cli.js-v1.0.0-beta.3","cli.js-v1.0.0-beta.4","cli.js-v1.0.0-beta.5","cli.js-v1.0.0-beta.6","cli.js-v1.0.0-beta.7","cli.js-v1.0.0-beta.8","cli.js-v1.0.0-beta.9","cli.js-v1.0.0-rc.10","cli.js-v1.0.0-rc.11","cli.js-v1.0.0-rc.12","cli.js-v1.0.0-rc.13","cli.js-v1.0.0-rc.14","cli.js-v1.0.0-rc.15","cli.js-v1.0.0-rc.16","cli.js-v1.0.0-rc.5","cli.js-v1.0.0-rc.6","cli.js-v1.0.0-rc.8","cli.js-v1.0.0-rc.9","cli.js-v1.0.1","cli.js-v1.0.2","cli.js-v1.0.3","cli.js-v1.0.4","cli.js-v1.0.5","cli.rs-v1.0","cli.rs-v1.0.0","cli.rs-v1.0.0-beta-rc.0","cli.rs-v1.0.0-beta-rc.1","cli.rs-v1.0.0-beta-rc.2","cli.rs-v1.0.0-beta-rc.3","cli.rs-v1.0.0-beta-rc.4","cli.rs-v1.0.0-beta.0","cli.rs-v1.0.0-beta.1","cli.rs-v1.0.0-beta.2","cli.rs-v1.0.0-beta.3","cli.rs-v1.0.0-beta.4","cli.rs-v1.0.0-beta.5","cli.rs-v1.0.0-beta.6","cli.rs-v1.0.0-beta.7","cli.rs-v1.0.0-rc.0","cli.rs-v1.0.0-rc.1","cli.rs-v1.0.0-rc.10","cli.rs-v1.0.0-rc.11","cli.rs-v1.0.0-rc.12","cli.rs-v1.0.0-rc.13","cli.rs-v1.0.0-rc.14","cli.rs-v1.0.0-rc.15","cli.rs-v1.0.0-rc.16","cli.rs-v1.0.0-rc.2","cli.rs-v1.0.0-rc.3","cli.rs-v1.0.0-rc.4","cli.rs-v1.0.0-rc.5","cli.rs-v1.0.0-rc.6","cli.rs-v1.0.0-rc.7","cli.rs-v1.0.0-rc.8","cli.rs-v1.0.0-rc.9","cli.rs-v1.0.1","cli.rs-v1.0.2","cli.rs-v1.0.3","cli.rs-v1.0.4","cli.rs-v1.0.5","create-tauri-app-v1","create-tauri-app-v1.0","create-tauri-app-v1.0.0-beta-rc.0","create-tauri-app-v1.0.0-beta-rc.1","create-tauri-app-v1.0.0-beta-rc.2","create-tauri-app-v1.0.0-beta-rc.3","create-tauri-app-v1.0.0-beta-rc.4","create-tauri-app-v1.0.0-beta.0","create-tauri-app-v1.0.0-beta.1","create-tauri-app-v1.0.0-beta.2","create-tauri-app-v1.0.0-beta.3","create-tauri-app-v1.0.0-beta.4","create-tauri-app-v1.0.0-rc.0","create-tauri-app-v1.0.0-rc.1","create-tauri-app-v1.0.0-rc.2","tauri-api-v0","tauri-api-v0.4.0","tauri-api-v0.4.1","tauri-api-v0.4.2","tauri-api-v0.5.0","tauri-api-v0.5.1","tauri-api-v0.5.2","tauri-api-v0.6.0","tauri-api-v0.6.1","tauri-api-v0.7","tauri-api-v0.7.0","tauri-api-v0.7.1","tauri-api-v0.7.2","tauri-api-v0.7.3","tauri-api-v0.7.5","tauri-build-v1.0","tauri-build-v1.0.0","tauri-build-v1.0.0-beta-rc.0","tauri-build-v1.0.0-beta-rc.1","tauri-build-v1.0.0-beta.0","tauri-build-v1.0.0-beta.1","tauri-build-v1.0.0-beta.2","tauri-build-v1.0.0-beta.3","tauri-build-v1.0.0-beta.4","tauri-build-v1.0.0-rc.0","tauri-build-v1.0.0-rc.1","tauri-build-v1.0.0-rc.10","tauri-build-v1.0.0-rc.11","tauri-build-v1.0.0-rc.12","tauri-build-v1.0.0-rc.13","tauri-build-v1.0.0-rc.14","tauri-build-v1.0.0-rc.15","tauri-build-v1.0.0-rc.2","tauri-build-v1.0.0-rc.3","tauri-build-v1.0.0-rc.4","tauri-build-v1.0.0-rc.5","tauri-build-v1.0.0-rc.6","tauri-build-v1.0.0-rc.7","tauri-build-v1.0.0-rc.8","tauri-build-v1.0.0-rc.9","tauri-build-v1.0.1","tauri-build-v1.0.2","tauri-build-v1.0.3","tauri-build-v1.0.4","tauri-bundler-v0","tauri-bundler-v0.4.0","tauri-bundler-v0.4.1","tauri-bundler-v0.4.2","tauri-bundler-v0.4.3","tauri-bundler-v0.4.4","tauri-bundler-v0.5.0","tauri-bundler-v0.6.0","tauri-bundler-v0.6.1","tauri-bundler-v0.7.0","tauri-bundler-v0.8.0","tauri-bundler-v0.8.1","tauri-bundler-v0.8.2","tauri-bundler-v0.8.3","tauri-bundler-v0.8.4","tauri-bundler-v0.8.5","tauri-bundler-v0.9","tauri-bundler-v0.9.0","tauri-bundler-v0.9.1","tauri-bundler-v0.9.3","tauri-bundler-v0.9.4","tauri-bundler-v1.0.0","tauri-bundler-v1.0.0-beta-rc.0","tauri-bundler-v1.0.0-beta-rc.1","tauri-bundler-v1.0.0-beta.0","tauri-bundler-v1.0.0-beta.1","tauri-bundler-v1.0.0-beta.2","tauri-bundler-v1.0.0-beta.3","tauri-bundler-v1.0.0-beta.4","tauri-bundler-v1.0.0-rc.0","tauri-bundler-v1.0.0-rc.1","tauri-bundler-v1.0.0-rc.10","tauri-bundler-v1.0.0-rc.2","tauri-bundler-v1.0.0-rc.3","tauri-bundler-v1.0.0-rc.4","tauri-bundler-v1.0.0-rc.5","tauri-bundler-v1.0.0-rc.6","tauri-bundler-v1.0.0-rc.7","tauri-bundler-v1.0.0-rc.8","tauri-bundler-v1.0.0-rc.9","tauri-bundler-v1.0.1","tauri-bundler-v1.0.2","tauri-bundler-v1.0.3","tauri-bundler-v1.0.4","tauri-bundler-v1.0.5","tauri-codegen-v1.0","tauri-codegen-v1.0.0","tauri-codegen-v1.0.0-beta-rc.0","tauri-codegen-v1.0.0-beta-rc.1","tauri-codegen-v1.0.0-beta.0","tauri-codegen-v1.0.0-beta.1","tauri-codegen-v1.0.0-beta.2","tauri-codegen-v1.0.0-beta.3","tauri-codegen-v1.0.0-beta.4","tauri-codegen-v1.0.0-rc.0","tauri-codegen-v1.0.0-rc.1","tauri-codegen-v1.0.0-rc.10","tauri-codegen-v1.0.0-rc.11","tauri-codegen-v1.0.0-rc.2","tauri-codegen-v1.0.0-rc.3","tauri-codegen-v1.0.0-rc.4","tauri-codegen-v1.0.0-rc.5","tauri-codegen-v1.0.0-rc.6","tauri-codegen-v1.0.0-rc.7","tauri-codegen-v1.0.0-rc.8","tauri-codegen-v1.0.0-rc.9","tauri-codegen-v1.0.1","tauri-codegen-v1.0.2","tauri-codegen-v1.0.3","tauri-codegen-v1.0.4","tauri-core-v0.4.0","tauri-core-v0.4.1","tauri-core-v0.4.2","tauri-core-v0.4.3","tauri-core-v0.5.0","tauri-core-v0.5.1","tauri-core-v0.5.2","tauri-core-v0.5.3","tauri-core-v0.6.0","tauri-core-v0.6.2","tauri-core-v0.7.0","tauri-core-v0.7.1","tauri-core-v0.7.2","tauri-core-v0.7.3","tauri-core-v0.7.4","tauri-core-v0.7.5","tauri-driver-v0.1.0","tauri-driver-v0.1.1","tauri-driver-v0.1.2","tauri-macros-v1.0","tauri-macros-v1.0.0","tauri-macros-v1.0.0-beta-rc.0","tauri-macros-v1.0.0-beta-rc.1","tauri-macros-v1.0.0-beta.0","tauri-macros-v1.0.0-beta.1","tauri-macros-v1.0.0-beta.2","tauri-macros-v1.0.0-beta.3","tauri-macros-v1.0.0-beta.4","tauri-macros-v1.0.0-beta.5","tauri-macros-v1.0.0-rc.0","tauri-macros-v1.0.0-rc.1","tauri-macros-v1.0.0-rc.10","tauri-macros-v1.0.0-rc.11","tauri-macros-v1.0.0-rc.2","tauri-macros-v1.0.0-rc.3","tauri-macros-v1.0.0-rc.4","tauri-macros-v1.0.0-rc.5","tauri-macros-v1.0.0-rc.6","tauri-macros-v1.0.0-rc.7","tauri-macros-v1.0.0-rc.8","tauri-macros-v1.0.0-rc.9","tauri-macros-v1.0.1","tauri-macros-v1.0.2","tauri-macros-v1.0.3","tauri-macros-v1.0.4","tauri-runtime-v0.1.0","tauri-runtime-v0.1.1","tauri-runtime-v0.1.2","tauri-runtime-v0.1.3","tauri-runtime-v0.1.4","tauri-runtime-v0.10.0","tauri-runtime-v0.10.1","tauri-runtime-v0.10.2","tauri-runtime-v0.2","tauri-runtime-v0.2.0","tauri-runtime-v0.2.1","tauri-runtime-v0.3","tauri-runtime-v0.3.0","tauri-runtime-v0.3.1","tauri-runtime-v0.3.2","tauri-runtime-v0.3.3","tauri-runtime-v0.3.4","tauri-runtime-v0.4","tauri-runtime-v0.4.0","tauri-runtime-v0.5","tauri-runtime-v0.5.0","tauri-runtime-v0.5.1","tauri-runtime-v0.6","tauri-runtime-v0.6.0","tauri-runtime-v0.7","tauri-runtime-v0.7.0","tauri-runtime-v0.8","tauri-runtime-v0.8.0","tauri-runtime-v0.8.1","tauri-runtime-v0.9","tauri-runtime-v0.9.0","tauri-runtime-wry-v0.1.0","tauri-runtime-wry-v0.1.1","tauri-runtime-wry-v0.1.2","tauri-runtime-wry-v0.1.3","tauri-runtime-wry-v0.1.4","tauri-runtime-wry-v0.10.0","tauri-runtime-wry-v0.10.1","tauri-runtime-wry-v0.10.2","tauri-runtime-wry-v0.2","tauri-runtime-wry-v0.2.0","tauri-runtime-wry-v0.2.1","tauri-runtime-wry-v0.3","tauri-runtime-wry-v0.3.0","tauri-runtime-wry-v0.3.1","tauri-runtime-wry-v0.3.2","tauri-runtime-wry-v0.3.3","tauri-runtime-wry-v0.3.4","tauri-runtime-wry-v0.3.5","tauri-runtime-wry-v0.4","tauri-runtime-wry-v0.4.0","tauri-runtime-wry-v0.5","tauri-runtime-wry-v0.5.0","tauri-runtime-wry-v0.5.1","tauri-runtime-wry-v0.5.2","tauri-runtime-wry-v0.6","tauri-runtime-wry-v0.6.0","tauri-runtime-wry-v0.7","tauri-runtime-wry-v0.7.0","tauri-runtime-wry-v0.8","tauri-runtime-wry-v0.8.0","tauri-runtime-wry-v0.8.1","tauri-runtime-wry-v0.9","tauri-runtime-wry-v0.9.0","tauri-updater-v0.4.0","tauri-updater-v0.4.1","tauri-updater-v0.4.2","tauri-utils-v0.4.0","tauri-utils-v0.4.1","tauri-utils-v0.5.0","tauri-utils-v0.5.1","tauri-utils-v1.0","tauri-utils-v1.0.0","tauri-utils-v1.0.0-beta-rc.0","tauri-utils-v1.0.0-beta-rc.1","tauri-utils-v1.0.0-beta.0","tauri-utils-v1.0.0-beta.1","tauri-utils-v1.0.0-beta.2","tauri-utils-v1.0.0-beta.3","tauri-utils-v1.0.0-rc.0","tauri-utils-v1.0.0-rc.1","tauri-utils-v1.0.0-rc.2","tauri-utils-v1.0.0-rc.3","tauri-utils-v1.0.0-rc.4","tauri-utils-v1.0.0-rc.5","tauri-utils-v1.0.0-rc.6","tauri-utils-v1.0.0-rc.7","tauri-utils-v1.0.0-rc.8","tauri-utils-v1.0.0-rc.9","tauri-utils-v1.0.1","tauri-utils-v1.0.2","tauri-utils-v1.0.3","tauri-v0","tauri-v0.10","tauri-v0.10.0","tauri-v0.11","tauri-v0.11.0","tauri-v0.11.1","tauri-v0.8","tauri-v0.8.0","tauri-v0.9","tauri-v0.9.0","tauri-v0.9.1","tauri-v0.9.2","tauri-v1.0.0","tauri-v1.0.0-beta-rc.0","tauri-v1.0.0-beta-rc.2","tauri-v1.0.0-beta-rc.3","tauri-v1.0.0-beta-rc.4","tauri-v1.0.0-beta.0","tauri-v1.0.0-beta.1","tauri-v1.0.0-beta.2","tauri-v1.0.0-beta.3","tauri-v1.0.0-beta.4","tauri-v1.0.0-beta.5","tauri-v1.0.0-beta.6","tauri-v1.0.0-beta.7","tauri-v1.0.0-beta.8","tauri-v1.0.0-rc.0","tauri-v1.0.0-rc.1","tauri-v1.0.0-rc.10","tauri-v1.0.0-rc.11","tauri-v1.0.0-rc.12","tauri-v1.0.0-rc.13","tauri-v1.0.0-rc.14","tauri-v1.0.0-rc.15","tauri-v1.0.0-rc.16","tauri-v1.0.0-rc.17","tauri-v1.0.0-rc.2","tauri-v1.0.0-rc.3","tauri-v1.0.0-rc.4","tauri-v1.0.0-rc.5","tauri-v1.0.0-rc.6","tauri-v1.0.0-rc.7","tauri-v1.0.0-rc.8","tauri-v1.0.0-rc.9","tauri-v1.0.1","tauri-v1.0.2","tauri-v1.0.3","tauri-v1.0.4","tauri-v1.0.5","tauri.js-v0","tauri.js-v0.10","tauri.js-v0.10.0","tauri.js-v0.11","tauri.js-v0.11.0","tauri.js-v0.11.1","tauri.js-v0.13","tauri.js-v0.13.0","tauri.js-v0.14","tauri.js-v0.14.0","tauri.js-v0.14.1","tauri.js-v0.4.0","tauri.js-v0.4.1","tauri.js-v0.4.2","tauri.js-v0.4.3","tauri.js-v0.4.4","tauri.js-v0.4.5","tauri.js-v0.5.0","tauri.js-v0.5.1","tauri.js-v0.5.2","tauri.js-v0.6.0","tauri.js-v0.6.1","tauri.js-v0.6.2","tauri.js-v0.6.3","tauri.js-v0.7.0","tauri.js-v0.7.1","tauri.js-v0.8.0","tauri.js-v0.8.1","tauri.js-v0.8.2","tauri.js-v0.8.3","tauri.js-v0.8.4","tauri.js-v0.9.0","tauri.js-v0.9.1","v0.2.0","v0.2.1","v0.2.1-tauri-js","v0.2.1-tauri.js","v1.0.0","v1.0.0-rc.0","v1.0.0-rc.1","v1.0.0-rc.10","v1.0.0-rc.11","v1.0.0-rc.12","v1.0.0-rc.13","v1.0.0-rc.14","v1.0.0-rc.15","v1.0.0-rc.16","v1.0.0-rc.2","v1.0.0-rc.4","v1.0.0-rc.5","v1.0.0-rc.6","v1.0.0-rc.7","v1.0.0-rc.8","v1.0.0-rc.9","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.0.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39215.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"}]}