CVE-2025-31477: 
JavaScript vulnerability analysis and mitigation

The Tauri shell plugin prior to version 2.2.1 contains a vulnerability in its open endpoint functionality. The plugin is designed to allow opening programs using the system opener (e.g. xdg-open on Linux) and was intended to restrict protocols to https and mailto by default. However, due to improper validation of allowed protocols, the default restriction was not functional, allowing potentially dangerous protocols like file://, smb://, or nfs:// to be opened by the system registered protocol handler (GitHub Advisory).

The vulnerability stems from improper validation of the allowed protocols in the open endpoint. The plugin failed to properly validate input when the open configuration was not explicitly set, effectively bypassing the intended protocol restrictions. This affected both JavaScript calls through the plugin API and direct Rust code execution. The vulnerability has been assigned a CVSS score of 9.3 CRITICAL with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N and is tracked as CWE-20 (Improper Input Validation) (NVD).

By exploiting this vulnerability, attackers can achieve remote code execution on the target system by passing untrusted user input to the open endpoint. This can be accomplished either through direct exposure of the endpoint to application users or through code execution in the frontend of a Tauri application (GitHub Advisory).

The vulnerability has been patched in version 2.2.1 of the plugin. For users unable to upgrade, several workarounds are available: 1) Set the shell plugin configuration value 'open' to true to only allow mailto, http, and https protocols, 2) Define a non-matching regex like 'tauri^' in the plugin configuration, or 3) Remove shell:default and all instances of shell:allow-open from the capabilities. Additionally, users are recommended to switch to the opener plugin, as the shell plugin's open endpoint was previously deprecated (GitHub Advisory).