High

TDSA-2026-001

Path Traversal in todesktop-fs Protocol Handler

Details Published:

Product
ToDesktop Builder
Affected Versions
ToDesktop Builder before 0.36.1
Fixed In
0.36.1
Credited To
Kirolos Gerges

Most likely, no action is required

If you have automatic security updates enabled (the default), your application has already been updated automatically. End-users will receive the fix automatically when using your app. No action is required.

What if I have disabled automatic security updates?

The small number of users who have explicitly disabled automatic security updates have been contacted directly by our team to ensure their apps are updated.

For reference, the manual update steps are:

  1. Update ToDesktop Builder to version 0.36.1 or later
  2. Rebuild your application
  3. Release a new version of your app to your users

Summary

A path traversal vulnerability (CWE-22) was identified in the todesktop-fs:// protocol handler used by applications built with ToDesktop Builder before version 0.36.1. Insufficient validation of user-controlled protocol input could allow an attacker to read arbitrary files from the host system.

This issue was responsibly disclosed through our Vulnerability Disclosure Program and resolved before any known exploitation occurred.

Impact

  • Severity: High
  • Attack Vector: Network-based, typically requires attacker-controlled content or script execution within an affected application
  • Potential Impact: An attacker could abuse the todesktop-fs:// protocol to traverse outside the intended bundled files directory and read arbitrary local files accessible to the application.

Technical Details

Applications built with affected versions exposed bundled files through the todesktop-fs:// custom protocol. In vulnerable versions, requests to the protocol handler were not sufficiently validated before being resolved on disk. This made it possible to traverse outside the intended files directory and retrieve other local files from the host system.

Version 0.36.1 added validation to ensure todesktop-fs:// requests remain scoped to the bundled files directory.

Timeline

All timestamps are in Coordinated Universal Time (UTC).

Date Event
January 5th, 2026 Vulnerability reported by Kirolos Gerges.
January 6th, 2026 Fix released in ToDesktop Builder 0.36.1.
April 5th, 2026 Public disclosure.

References