This is a warning thing, ik me posting this won't reach many ppl but I'll share it anyway bc it's important. Okay so I just saw this in a post from today on a certain site that Scratch won't let me say or link to If you can't read the image I put the text in N&C Basically this means that opening the costume + backdrop editor could be dangerous. I tried the proof of concept myself, but instead on the site, however it did not display anything except the standard "scratch has crashed were so sorry this bug has automatically been reported" message. This is not what it said it'd do, but I didn't check it the way it was supposed to be (using desktop version) and I can't find any source that says the issue is fixed, so in the meantime until there's some actual sign that this is fixed, PLEASE WATCH OUT. [Edit: I read the text again and it didn't work bc I uploaded it the normal way to the site, not using API requests.] It affects svgs, so no bitmap costumes, but you can't see a hidden sprite or costume before the action of opening the editor. So doing that on *any* project could be dangerous. I'm not super familiar with turbowarp, but that isn't effected, so it *should* be safe to open the editor over there. Here's the full thing: https://muffin.ink/blog/scratch-vulnerability-disclosure/ And here's the discussion abt it on the Scratch forum: https://scratch.mit.edu/discuss/topic/881514/?page=1#post-9146484 I am not the source of any of this information, please use other places this message and I linked to if you have any questions about this, I don't wanna accidentally spread misinformation!
What the image says: "Every version of Scratch is vulnerable to arbitrary code execution 2026-04-23 on muffin.ink All desktop versions of Scratch available on https://scratch.mit.edu/download or https://www.scratchfoundation.org/tools are vulnerable to arbitrary code execution when opening the costume editor on a malicious project. That means opening the costume editor could allow someone to install ransomware on your computer, or execute any other malware they want. This bug was disclosed to Scratch in February 2024. As of publishing, the latest version of Scratch Desktop is 3.31.1. All versions can execute arbitrary code when opening the costume editor in a malicious project. 3.29.1 and earlier can also execute arbitrary code when importing a malicious SVG. Many versions of Scratch Desktop have no update checker, so there is often no way to notify people they are using a vulnerable version. Proof of concept: xss-when-open-costume-editor.sb3. Open this project in Scratch Desktop, then open the costume editor tab. This proof-of-concept will display a list of files in your home directory to prove that it is not sandboxed, but won't modify or upload anything. Extending it to do so would be trivial. The same vulnerability can also be exploited on the Scratch website. To exploit it, an attacker needs to upload a malicious costume to Scratch using direct API requests (uploading via the normal editor won't work). If anyone visits the project and then opens the costume editor, arbitrary attacker-controlled JavaScript is run by the victim. This allows the attacker to take actions on behalf of the victim's account, such as posting comments or deleting projects. Technical details have been on this blog for a while: https://muffin.ink/blog/scratch-svg-sanitization/ https://muffin.ink/blog/paperjs-xss/ Most posts on https://muffin.ink/ are tied to this in some way I am not aware of any security issues in the latest https://turbowarp.org/editor or TurboWarp Desktop 1.15.5. I do not know if Scratch's Android app is affected. Major versions of Scratch before 3.x.x are not affected."
