Update May 6, 2026: Scratch expanded their server-side filtering to hopefully prevent uploading new malicious projects to the Scratch website, with more permanent fixes in various stages of development. No fix is available for Scratch Desktop yet.
Everything below this point was accurate as of May 4, 2026.
All desktop versions of Scratch available on https://scratch.mit.edu/download or https://www.scratchfoundation.org/tools are vulnerable to arbitrary code execution when opening the costume editor on a malicious project. That means opening the costume editor could allow someone to install ransomware on your computer, or execute any other malware they want. This bug was disclosed to Scratch in February 2024.
As of publishing, the latest version of Scratch Desktop is 3.31.1. All versions can execute arbitrary code when opening the costume editor in a malicious project. 3.29.1 and earlier can also execute arbitrary code when importing a malicious SVG. Many versions of Scratch Desktop have no update checker, so there is often no way to notify people they are using a vulnerable version.
Proof of concept: xss-when-open-costume-editor.sb3. Open this project in Scratch Desktop, then open the costume editor tab. This proof-of-concept will display a list of files in your home directory to prove that it is not sandboxed, but won't modify or upload anything. Extending it to do so would be trivial.
The same vulnerability can also be exploited on the Scratch website. To exploit it, an attacker needs to upload a malicious costume to Scratch using direct API requests (uploading via the normal editor won't work). If anyone visits the project and then opens the costume editor, arbitrary attacker-controlled JavaScript is run by the victim. This allows the attacker to take actions on behalf of the victim's account, such as posting comments or deleting projects.
Technical details have been on this blog for a while:
- https://muffin.ink/blog/scratch-svg-sanitization/
- https://muffin.ink/blog/paperjs-xss/
- Most posts on https://muffin.ink/ are tied to this in some way
I am not aware of any security issues in the latest https://turbowarp.org/editor or TurboWarp Desktop 1.15.5. Major versions of Scratch before 3.x.x are not affected. Scratch Android is also affected but the impact is reduced by sandboxing.
While you're here, here's a few additional Scratch security issues - past and current - that might be interesting.
A similar security bug occurred in 2020. That bug was actually more severe because it would allow arbitrary code execution just by loading a project without needing to open the costume editor. Despite this, Scratch Desktop did not adopt industry-standard sandboxing techniques. These sandboxes are built in to the framework Scratch Desktop uses (Electron) and could be enabled easily. Sandboxing would prevent this kind of bug from doing any lasting damage without an additional sandbox escape bug (rare).
Using a different set of security bugs, you can still upload a project to scratch.mit.edu that will IP log anyone who loads it and do various fun things to the page styles. The earliest of these bugs that still works was disclosed to Scratch in June 2025. See https://muffin.ink/blog/scratch-svg-sanitization/ for the entire SVG sanitization journey.
From 2012-2022, the Scratch API for downloading projects required no authentication. All you needed to download a project was its ID, then you could access it even if the project was unshared. Scratch project IDs are a sequentially increasing series of numbers, so guessing the ID of a project is really simple (just keep adding 1 until you find it). They're also often revealed in screenshots because people assumed that unshared projects were actually unshared. This was fixed by requiring a short-lived token to access a project; acquiring this token requires authentication.
In 2023, Scratch undid the unshared project security fix by exposing an apparent internal service to the open internet. While the normal projects.scratch.mit.edu API required authentication, you could use scratch-projects.scratch.org instead which allowed downloading projects but did not check for a valid token, thus returning to the 2012-2022 status quo. Anyone could find this domain via certificate transparency logs. This was fixed in April 2026 after people had been talking about it on the Scratch forum for months.
To this day, there are still interesting things on the scratch.org domain. For example, scratch-api.scratch.org seems to be the same as api.scratch.mit.edu but has no caching. Very curious.