GHSA-57F6-PVX8-HWJ6

Vulnerability from github – Published: 2026-06-26 20:44 – Updated: 2026-06-26 20:44
VLAI
Summary
turso-cli persists Turso platform JWT with world-readable (0o644) file permissions
Details

Summary

turso-cli persists the user's Turso platform JWT to settings.json using Viper's default configPermissions of 0o644, leaving the credential file world-readable on standard Linux and macOS systems. Any other local UID on the host can read the file and recover the platform JWT, which grants full Turso platform access scoped to the user's organizations.

Impact

The token in settings.json grants the holder full Turso platform access — create or destroy databases, rotate credentials, exfiltrate data, change billing settings — for any organization the user belongs to.

Because the file is world-readable, the credential is reachable by:

  • Cron jobs or daemons running as a different system user on the same host
  • Sandboxed CI runners with a mounted home directory
  • Containers with a bind-mounted host home
  • Co-tenants on a shared multi-user developer or jumpbox host

The file path resolves through configdir.LocalConfig("turso"):

  • macOS: ~/Library/Application Support/turso/settings.json
  • Linux: ~/.config/turso/settings.json (or $XDG_CONFIG_HOME/turso/settings.json)

It contains the platform JWT in plaintext JSON alongside organization and username fields.

Comparable CLIs (gh, aws, docker, gcloud, plus close peers planetscale, neon, upstash) write credential files at 0o600 explicitly, so this is a deviation from the cross-vendor baseline rather than a deliberate trade-off.

Details

The OAuth callback handler stores the platform JWT via the settings layer:

// internal/cmd/auth.go:205-214
jwt, err := callbackServer.Result()
...
settings.SetToken(jwt)

SetToken writes through Viper:

// internal/settings/settings.go:124-127
func (s *Settings) SetToken(token string) {
    viper.Set("token", token)
    s.changed = true
}

Persistence runs through viper.WriteConfig:

// internal/settings/settings.go:96-101
func TryToPersistChanges() error {
    if err := viper.WriteConfig(); err != nil {
        return fmt.Errorf("failed to persist turso settings file: %w", err)
    }
    return nil
}

Viper v1.21.0 (pinned in turso-cli go.mod) initializes configPermissions to os.FileMode(0o644) at viper.go:198 and passes that mode straight to os.OpenFile at viper.go:1688. Without a call to viper.SetConfigPermissions(0o600), the resulting settings.json is created at 0o644.

A grep over the auth-config write path under internal/ returns zero hits for Chmod, 0o600, or 0600, confirming there is no follow-up tightening of the file mode anywhere on the persistence path.

Proof of concept

Minimal reproducer using the same Viper version turso-cli pins (github.com/spf13/viper v1.21.0):

package main

import (
    "fmt"
    "os"
    "path/filepath"

    "github.com/spf13/viper"
)

func main() {
    dir, _ := os.MkdirTemp("", "viperpoc-*")
    defer os.RemoveAll(dir)

    viper.SetConfigName("settings")
    viper.SetConfigType("json")
    viper.AddConfigPath(dir)

    viper.Set("token", "FAKE_TURSO_JWT_xxxxxxxxxxxxxxxxxxxx")
    viper.Set("organization", "exampleorg")
    viper.SafeWriteConfig()

    st, _ := os.Stat(filepath.Join(dir, "settings.json"))
    fmt.Printf("mode: %o\n", st.Mode()&0o777)
}

$ go run main.go mode: 644

The same SafeWriteConfig / WriteConfig calls turso-cli uses produce the same 0o644 mode in a real turso auth login flow.

Remediation

One-line fix at the existing Viper configuration site in internal/settings/settings.go (around lines 48-50):

viper.SetConfigName("settings")
viper.SetConfigType("json")
viper.AddConfigPath(configPath)
viper.SetConfigPermissions(0o600) // restrict settings.json to owner only

Defense in depth:

  • Add os.Chmod(configFile, 0o600) after TryToPersistChanges, or on read (as PlanetScale does in internal/config/config.go — they Stat the token file and self-heal if Mode() &^ 0o600 is nonzero). viper.SetConfigPermissions applies only on file creation, so an existing wider-mode file is not tightened otherwise.
  • Add os.Chmod(configPath, 0o700) after configdir.MakePath(configPath) (line 43) to close the equivalent gap on the enclosing directory, which is otherwise created under the default umask.

Patch: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66

Workarounds

Until upgraded, users can tighten the existing files manually:

# Linux
chmod 600 ~/.config/turso/settings.json
chmod 700 ~/.config/turso

# macOS
chmod 600 "$HOME/Library/Application Support/turso/settings.json"
chmod 700 "$HOME/Library/Application Support/turso"

This must be repeated after any operation that recreates the file (e.g. turso auth login) until the patched version is installed.

Resources

  • Patch commit: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66
  • Viper configPermissions default: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L198
  • Viper write path: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L1688
  • CWE-276: https://cwe.mitre.org/data/definitions/276.html
  • CWE-732: https://cwe.mitre.org/data/definitions/732.html
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.25"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tursodatabase/turso-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:44:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`turso-cli` persists the user\u0027s Turso platform JWT to `settings.json` using Viper\u0027s default `configPermissions` of `0o644`, leaving the credential file world-readable on standard Linux and macOS systems. Any other local UID on the host can read the file and recover the platform JWT, which grants full Turso platform access scoped to the user\u0027s organizations.\n\n### Impact\n\nThe token in `settings.json` grants the holder full Turso platform access \u2014 create or destroy databases, rotate credentials, exfiltrate data, change billing settings \u2014 for any organization the user belongs to.\n\nBecause the file is world-readable, the credential is reachable by:\n\n- Cron jobs or daemons running as a different system user on the same host\n- Sandboxed CI runners with a mounted home directory\n- Containers with a bind-mounted host home\n- Co-tenants on a shared multi-user developer or jumpbox host\n\nThe file path resolves through `configdir.LocalConfig(\"turso\")`:\n\n- macOS: `~/Library/Application Support/turso/settings.json`\n- Linux: `~/.config/turso/settings.json` (or `$XDG_CONFIG_HOME/turso/settings.json`)\n\nIt contains the platform JWT in plaintext JSON alongside `organization` and `username` fields.\n\nComparable CLIs (`gh`, `aws`, `docker`, `gcloud`, plus close peers `planetscale`, `neon`, `upstash`) write credential files at `0o600` explicitly, so this is a deviation from the cross-vendor baseline rather than a deliberate trade-off.\n\n### Details\n\nThe OAuth callback handler stores the platform JWT via the settings layer:\n\n```go\n// internal/cmd/auth.go:205-214\njwt, err := callbackServer.Result()\n...\nsettings.SetToken(jwt)\n```\n\n`SetToken` writes through Viper:\n\n```go\n// internal/settings/settings.go:124-127\nfunc (s *Settings) SetToken(token string) {\n    viper.Set(\"token\", token)\n    s.changed = true\n}\n```\n\nPersistence runs through `viper.WriteConfig`:\n\n```go\n// internal/settings/settings.go:96-101\nfunc TryToPersistChanges() error {\n    if err := viper.WriteConfig(); err != nil {\n        return fmt.Errorf(\"failed to persist turso settings file: %w\", err)\n    }\n    return nil\n}\n```\n\nViper v1.21.0 (pinned in `turso-cli` `go.mod`) initializes `configPermissions` to `os.FileMode(0o644)` at `viper.go:198` and passes that mode straight to `os.OpenFile` at `viper.go:1688`. Without a call to `viper.SetConfigPermissions(0o600)`, the resulting `settings.json` is created at `0o644`.\n\nA `grep` over the auth-config write path under `internal/` returns zero hits for `Chmod`, `0o600`, or `0600`, confirming there is no follow-up tightening of the file mode anywhere on the persistence path.\n\n### Proof of concept\n\nMinimal reproducer using the same Viper version `turso-cli` pins (`github.com/spf13/viper v1.21.0`):\n\n```go\npackage main\n\nimport (\n    \"fmt\"\n    \"os\"\n    \"path/filepath\"\n\n    \"github.com/spf13/viper\"\n)\n\nfunc main() {\n    dir, _ := os.MkdirTemp(\"\", \"viperpoc-*\")\n    defer os.RemoveAll(dir)\n\n    viper.SetConfigName(\"settings\")\n    viper.SetConfigType(\"json\")\n    viper.AddConfigPath(dir)\n\n    viper.Set(\"token\", \"FAKE_TURSO_JWT_xxxxxxxxxxxxxxxxxxxx\")\n    viper.Set(\"organization\", \"exampleorg\")\n    viper.SafeWriteConfig()\n\n    st, _ := os.Stat(filepath.Join(dir, \"settings.json\"))\n    fmt.Printf(\"mode: %o\\n\", st.Mode()\u00260o777)\n}\n```\n$ go run main.go mode: 644\n\nThe same `SafeWriteConfig` / `WriteConfig` calls `turso-cli` uses produce the same `0o644` mode in a real `turso auth login` flow.\n\n### Remediation\n\nOne-line fix at the existing Viper configuration site in `internal/settings/settings.go` (around lines 48-50):\n\n```go\nviper.SetConfigName(\"settings\")\nviper.SetConfigType(\"json\")\nviper.AddConfigPath(configPath)\nviper.SetConfigPermissions(0o600) // restrict settings.json to owner only\n```\n\nDefense in depth:\n\n- Add `os.Chmod(configFile, 0o600)` after `TryToPersistChanges`, or on read (as PlanetScale does in `internal/config/config.go` \u2014 they `Stat` the token file and self-heal if `Mode() \u0026^ 0o600` is nonzero).  `viper.SetConfigPermissions` applies only on file creation, so an existing wider-mode file is not tightened otherwise.\n- Add `os.Chmod(configPath, 0o700)` after `configdir.MakePath(configPath)` (line 43) to close the equivalent gap on the enclosing directory, which is otherwise created under the default umask.\n\nPatch: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66\n\n### Workarounds\n\nUntil upgraded, users can tighten the existing files manually:\n\n```sh\n# Linux\nchmod 600 ~/.config/turso/settings.json\nchmod 700 ~/.config/turso\n\n# macOS\nchmod 600 \"$HOME/Library/Application Support/turso/settings.json\"\nchmod 700 \"$HOME/Library/Application Support/turso\"\n```\n\nThis must be repeated after any operation that recreates the file (e.g.\n`turso auth login`) until the patched version is installed.\n\n### Resources\n\n- Patch commit: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66\n- Viper `configPermissions` default: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L198\n- Viper write path: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L1688\n- CWE-276: https://cwe.mitre.org/data/definitions/276.html\n- CWE-732: https://cwe.mitre.org/data/definitions/732.html",
  "id": "GHSA-57f6-pvx8-hwj6",
  "modified": "2026-06-26T20:44:39Z",
  "published": "2026-06-26T20:44:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tursodatabase/turso-cli/security/advisories/GHSA-57f6-pvx8-hwj6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tursodatabase/turso-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "turso-cli persists Turso platform JWT with world-readable (0o644) file permissions"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…