An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oMjljLXdjbTgtODgzaM0keg

Incorrect Permission Assignment for Critical Resource in OnionShare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.


The CSP can be turned on or off but not configured for the specific needs of the website.

Technical description:

The website mode of the application allows to use a hardened CSP, which will block any scripts and external resources. It is not possible to configure this CSP for individual pages and therefore the security enhancement cannot be used for websites using javascript or external resources like fonts or images.

If CSP were configurable, the website creator could harden it accordingly to the needs of the application.

As this issue correlates with the Github issue for exposing the flask application directly ( onionshare/issues/1389), it can be assumed that this can be solved by either changing to a well-known webserver, which supports this kind of configuration, or enhancing the status quo by making the CSP a configurable part of each website.

We believe that bundling the nginx or apache webserver would add complexity and dependencies to the application that could result in a larger attack surface - as these packages receive regular security updates. On the other hand it is not recommended to directly expose the flask webserver, due to lack of hardening. This is a trade-off which needs to be evaluated by the Onionshare developers, as multiple features are involved. Ideally the application user could choose between the built-in flask webserver or a system webserver of choice.


As this is a general weakness and not a direct vulnerability in the Onionshare application, the direct impact of this issue is rather low.


Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 1 year ago
Updated: 8 months ago

CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-h29c-wcm8-883h, CVE-2022-21694

Affected Packages

Versions: >= 2.2, < 2.5
Fixed in: 2.5