Share
## https://sploitus.com/exploit?id=A3F00E9C-004A-5C75-B634-EDB480F93210
# CVE-2026-XXXXX: Arbitrary URL Scheme Execution in Meru (Gmail Desktop)

## Vulnerability Summary

**Product**: Meru (formerly Gmail Desktop)  
**Affected Versions**: All versions up to and including v3.28.0  
**Vulnerability Type**: Improper Input Validation (CWE-20)  
**CVSS Score**: 9.6 (Critical)  
**Attack Vector**: Network (Phishing Email)  
**Impact**: Remote Code Execution / Information Disclosure  

---

## Description

Meru is an Electron-based desktop application for Gmail with **957+ stars on GitHub**. The application contains a critical vulnerability in its URL handling mechanism that allows arbitrary URL scheme execution.

When a user clicks a link in an email, Meru calls `shell.openExternal(cleanUrl)` to open it. However, the `getCleanUrl()` function in `packages/app/url.ts` **does not validate URL schemes/protocols**, allowing attackers to execute:
- `file://` - Access local files
- `javascript:` - Execute JavaScript (browser-dependent)
- Custom schemes (e.g., `vscode://`, `slack://`) - Trigger arbitrary applications

---

## Proof of Concept (PoC)

### Step 1: Create Malicious Email
Run the included `poc.py` script to generate a malicious HTML email:

```bash
python3 poc.py
```

This creates `malicious_email.html` containing links with dangerous protocols:
```html
Verify Account
Verify Account (Google Redirect)
```

### Step 2: Send Email to Victim
Send the HTML email to a target Gmail account.

### Step 3: Trigger Vulnerability
1. Victim opens the email in Meru
2. Victim clicks any "Verify Account" link
3. **RESULT**: System files (`/etc/passwd`, `/etc/hosts`) open in default text editor

### Verification
Our test (`verify_meru.js`) confirmed:
```
Test 1: Direct file:// protocol
  Input:    file:///etc/passwd
  Output:   file:///etc/passwd
  Status:   โœ“ PASS
  โš ๏ธ  VULNERABLE: Dangerous protocol allowed!

RESULT: 4/4 dangerous protocols passed through
```

---

## Root Cause

**Vulnerable Code** (`packages/app/url.ts`):

```typescript
export function getCleanUrl(url: string): string {
    if (url.includes("google.com/url")) {
        return new URL(url).searchParams.get("q") ?? url;
    }
    return url;  // โŒ NO PROTOCOL VALIDATION
}

export async function openExternalUrl(url: string, trustedLink?: boolean) {
    const cleanUrl = getCleanUrl(url);
    // ... optional confirmation dialog ...
    shell.openExternal(cleanUrl); // โŒ EXECUTES ANY PROTOCOL
}
```

**The Problem**:
1. `getCleanUrl` only handles Google redirect extraction
2. No allowlist for safe protocols (`http:`, `https:`, `mailto:`)
3. `shell.openExternal` will execute **any** URL scheme

---

## Impact

### High Severity Scenarios

1. **Information Disclosure**
   - `file:///etc/passwd` โ†’ Leaks system user information
   - `file:///Users//.ssh/id_rsa` โ†’ Exposes SSH private keys

2. **Remote Code Execution**
   - Custom schemes registered to execute commands
   - Example: `steam://run/1234` can launch applications
   - macOS: `open` command injection via crafted schemes

3. **Phishing Amplification**
   - Attackers can bypass "trusted link" confirmation dialogs
   - Google redirect (`google.com/url?q=...`) extraction makes this easier

---

## Mitigation

### Recommended Fix

Implement protocol validation in `getCleanUrl()`:

```typescript
const ALLOWED_PROTOCOLS = ['http:', 'https:', 'mailto:'];

export function getCleanUrl(url: string): string {
    if (url.includes("google.com/url")) {
        url = new URL(url).searchParams.get("q") ?? url;
    }
    
    // Validate protocol
    try {
        const parsedUrl = new URL(url);
        if (!ALLOWED_PROTOCOLS.includes(parsedUrl.protocol)) {
            console.error(`Blocked dangerous protocol: ${parsedUrl.protocol}`);
            return 'about:blank';
        }
    } catch (e) {
        console.error('Invalid URL:', url);
        return 'about:blank';
    }
    
    return url;
}
```

---

## Timeline

- **2026-01-23**: Vulnerability discovered during security audit
- **2026-01-23**: PoC developed and verified
- **2026-01-23**: CVE requested from MITRE
- **TBD**: Responsible disclosure to maintainers
- **TBD**: Patch released

---

## References

- GitHub Repository: https://github.com/zoidsh/meru
- Vulnerable File: [`packages/app/url.ts:49`](https://github.com/zoidsh/meru/blob/main/packages/app/url.ts#L49)
- Electron Security: https://www.electronjs.org/docs/latest/tutorial/security#14-do-not-use-openexternal-with-untrusted-content

---

## CVE Request Information

**Discoverer**: NiceTop  
**Vendor**: zoidsh (GitHub)  
**Product**: Meru (Gmail Desktop)  
**Affected Versions**: All versions โ‰ค 3.28.0  
**Fixed Version**: None (0-Day)  

---

## Disclaimer

This PoC is provided for **security research and responsible disclosure** purposes only. Unauthorized testing against production systems without permission is illegal.