An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13OW00LTd3NzItcjc2Ns0kdw

Improper Access Control in Onionshare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.


Chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom.

Technical description:

otf-004-a otf-004-b otf-004-c

This series of screenshots show Alice, Bob and Eve joined a chatroom and are the only participants in the chatroom. Eve seemingly leaves the chatroom, which leads Bob and Alice to believe they are having a private chat. The last screenshot shows that Eve only emitted the leave message and is still able to read the chat and possibly write messages.

This can be reproduced by joining the chat with two different instances, where one instance has slightly modified the client-side JavaScript code similar to OTF-003 (page 22). The joined emit needs to be removed from the connect event handler. Therefore the modified client is not listed in the userlist and has no active session. The modified non-listed user also needs to change their username to Eve, which is not shown in the chatroom. The modified client then emits the disconnect event and their connection is no longer usable.

This results in the leave message for Eve and the removal from the user-list but not in removal of the original session of the Eve who announced to join the chat.


An adversary with access to the chat environment can spoof his leave event but still persist in the chat with access to all sent messages and the possibility to write in the chat using OTF-003 (page 22).


Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 8 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-w9m4-7w72-r766, CVE-2022-21691

Affected Packages

Versions: >= 2.3, < 2.5
Fixed in: 2.5