CVE-2023-40168: 
TurboWarp vulnerability analysis and mitigation

TurboWarp Desktop, a desktop application that compiles scratch projects to JavaScript, versions prior to 1.8.0 contained a vulnerability that allowed malicious projects or custom extensions to read arbitrary files from disk and upload them to a remote server. The vulnerability (CVE-2023-40168) was discovered and disclosed on August 17, 2023, affecting all versions before 1.8.0 (NVD, GitHub Advisory).

The vulnerability stemmed from the desktop application allowing unrestricted access to file:// URLs and unrestricted network access. This implementation flaw enabled malicious code to bypass intended security restrictions. The vulnerability has a CVSS v3.1 base score of 6.5 MEDIUM according to NVD, while GitHub rates it as 7.4 HIGH with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N (NVD).

The vulnerability allowed malicious projects or extensions to silently read arbitrary files from the user's disk and upload them to a remote server. The only required user interaction was opening the sb3 file or loading the extension - pressing the green flag was not necessary. The web version of TurboWarp was not affected by this vulnerability (GitHub Advisory).

The vulnerability was patched in TurboWarp Desktop version 1.8.0. Users are advised to upgrade to version 1.8.0 or later, noting that manual updates may be required as many official distribution channels do not support automatic updates. For users unable to upgrade, the recommended workaround is to avoid opening sb3 files or loading custom extensions from untrusted sources, particularly those sent through chat messaging apps (GitHub Advisory).