CVE-2023-40168 HIGH

CVE-2023-40168: Malicious projects can read and upload arbitrary files from disk in TurboWarp Desktop

Vendor Turbowarp
Product desktop
Weakness CWE-863 · Incorrect authorization
Published August 17, 2023
Last update October 1, 2024
View on NVD All CVEs

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

TurboWarp is a desktop application that compiles scratch projects to JavaScript. TurboWarp Desktop versions prior to version 1.8.0 allowed a malicious project or custom extension to read arbitrary files from disk and upload them to a remote server. The only required user interaction is opening the sb3 file or loading the extension. The web version of TurboWarp is not affected. This bug has been addressed in commit `55e07e99b59` after an initial fix which was reverted. Users are advised to upgrade to version 1.8.0 or later. Users unable to upgrade should avoid opening sb3 files or loading extensions from untrusted sources.

Key dates

02Disclosure timeline

August 17, 2023 CVE published
October 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-5194 A system/user manager can demote / deactivate another manager CVE-2024-43131 WordPress Docket (WooCommerce Collections / Wishlist / Watchlist) plugin < 1.7.0 - Unauthenticated Arbitrary Post/Page Deletion vulnerability CVE-2026-45226 Heym < 0.0.21 Authorization Bypass in Workflow Execution CVE-2026-2126 User Submitted Posts <= 20260113 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter CVE-2024-2473 WPS Hide Login <= 1.9.15.2 - Login Page Disclosure