This blog post discloses unfixed security bugs in Scratch. Technical details have been on this blog for a bit, but the actual user impact was never clarified. Here's the public-facing internet version of this disclosure.
All desktop versions of Scratch available on https://scratch.mit.edu/download or https://www.scratchfoundation.org/tools are vulnerable to arbitrary code execution when opening the costume editor on a malicious project or opening a malicious SVG. That means opening the costume editor could allow someone to install ransomware on your computer. This bug was disclosed to Scratch in February 2024.
Many versions of Scratch Desktop have no update checker, so there is often no way to notify people about this. As of publishing, the latest Scratch Desktop version is 3.31.1. It and all lower versions are affected.
The underlying XSS still exists on scratch.mit.edu. My proof-of-concept project from two years ago still works. I'm told they have server-side protections, but I've never seen evidence of that.
Using a different security bug, you can also upload projects to scratch.mit.edu that will IP log anyone who loads it and do various fun things to the page styles. The earliest of these bugs that still works was disclosed to Scratch in June 2025.
Technical details are available across several blog posts:
- https://muffin.ink/blog/scratch-svg-sanitization/
- https://muffin.ink/blog/paperjs-xss/
- Most posts on https://muffin.ink/ are tied to this in some way
I am not aware of any security issues in the latest https://turbowarp.org/editor or TurboWarp Desktop 1.15.5.