An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02OHZyLThmNDYtdmM5Zs0kfA

Username spoofing in OnionShare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.


It is possible to change the username to that of another chat participant with an additional space character at the end of the name string.

Technical description:

Assumed users in Chat:

  1. Mallory renames to Alice .
  2. Mallory sends message as Alice .
  3. Alice and Bob receive a message from Mallory disguised as Alice , which is hard to distinguish from the Alice in the web interface.

otf-005-a otf-005-b

Other (invisible) whitespace characters were found to be working as well.


An adversary with access to the chat environment can use the rename feature to impersonate other participants by adding whitespace characters at the end of the username.


Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 4 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-68vr-8f46-vc9f, CVE-2022-21696

Affected Packages

Versions: >= 2.3, < 2.5
Fixed in: 2.5