High (7.3) CVE-2025-67230

TDSA-2025-002

Improper Permissions in Custom URL Scheme Handler

Details Published:

Product
ToDesktop Builder
Affected Versions
ToDesktop Builder before 0.33.0
Fixed In
0.33.0
Credited To
Hunter Wodzenski

Most likely, no action is required

If you have automatic security updates enabled (the default), your application has already been updated automatically. End-users will receive the fix automatically when using your app. No action is required.

What if I have disabled automatic security updates?

The small number of users who have explicitly disabled automatic security updates have been contacted directly by our team to ensure their apps are updated.

For reference, the manual update steps are:

  1. Update ToDesktop Builder to version 0.33.0 or later
  2. Rebuild your application
  3. Release a new version of your app to your users

Summary

An Improper Permissions vulnerability was identified in the Custom URL Scheme handler of applications built with ToDesktop Builder before version 0.33.0. This vulnerability allows attackers with renderer-context access to invoke ToDesktop APIs, including external protocol handlers, without sufficient validation.

This issue was proactively identified through our Vulnerability Disclosure Program and resolved before any known exploitation occurred.

Impact

  • Severity: High (CVSS 4.0: 7.3)
  • Attack Vector: Network-based, requires attacker to have renderer-context access and active user interaction
  • Potential Impact: An attacker who has gained access to the renderer context could invoke ToDesktop APIs to perform unauthorized actions, such as opening arbitrary URLs in the user’s browser or other external applications.

Technical Details

The ToDesktop API exposed to the renderer context in affected versions did not implement sufficient permission checks. An attacker with access to the renderer context (for example, through a separate vulnerability or malicious content loaded in the application) could exploit this to invoke external protocol handlers.

CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Timeline

All timestamps are in Coordinated Universal Time (UTC).

Date and Time Event
September 14th, 2025 7:37pm Vulnerability reported by Hunter Wodzenski.
September 15th, 2025 9:14pm Fixed version of ToDesktop Builder released.

References