An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02OHZyLThmNDYtdmM5Zs0kfA

Username spoofing in OnionShare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.


It is possible to change the username to that of another chat participant with an additional space character at the end of the name string.

Technical description:

Assumed users in Chat:

  1. Mallory renames to Alice .
  2. Mallory sends message as Alice .
  3. Alice and Bob receive a message from Mallory disguised as Alice , which is hard to distinguish from the Alice
    in the web interface.


Other (invisible) whitespace characters were found to be working as well.


An adversary with access to the chat environment can use the rename feature to impersonate other participants by adding whitespace characters at the end of the username.


Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-68vr-8f46-vc9f, CVE-2022-21696
References: Repository:
Blast Radius: 1.0

Affected Packages

Dependent packages: 0
Dependent repositories: 0
Downloads: last month
Affected Version Ranges: >= 2.3, < 2.5
Fixed in: 2.5
All affected versions:
All unaffected versions: