How severe is GHSA-ch22-x2v3-v6vq?

GHSA-ch22-x2v3-v6vq has a CVSS score of 8.7/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-ch22-x2v3-v6vq?

GHSA-ch22-x2v3-v6vq affects the following packages: onionshare-cli (PyPI). Ecosystems affected: PyPI.

How do I fix GHSA-ch22-x2v3-v6vq?

Update onionshare-cli to 2.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-ch22-x2v3-v6vq is resolved across your whole dependency graph.

How do I detect GHSA-ch22-x2v3-v6vq in my PyPI dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for onionshare-cli. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-ch22-x2v3-v6vq if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-ch22-x2v3-v6vq?

O3 pinpoints whether GHSA-ch22-x2v3-v6vq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-ch22-x2v3-v6vq actively exploited in the wild?

Yes. There are 1 known exploit references for GHSA-ch22-x2v3-v6vq, including 1 in-the-wild exploitation observed on GitHub and other sources. Treat this as actively exploitable and prioritize patching immediately. All exploit code should only be run in an isolated sandbox environment for research or authorized testing — never against production systems without explicit written authorization.

What is the EPSS score for GHSA-ch22-x2v3-v6vq?

GHSA-ch22-x2v3-v6vq has an EPSS (Exploit Prediction Scoring System) score of 0.8%, placing it in the 51th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-ch22-x2v3-v6vq?

GHSA-ch22-x2v3-v6vq is classified as Cross-site Scripting (XSS) (CWE-79). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-ch22-x2v3-v6vq published, and has it been updated?

GHSA-ch22-x2v3-v6vq was published on January 21, 2022 and was last updated on October 7, 2024. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐍 PyPI

GHSA-ch22-x2v3-v6vq

HIGH

OTF-001: Improper Input Sanitation: The path parameter of the requested URL is not sanitized before being passed to the QT frontend

Also known asCVE-2022-21690PYSEC-2022-41

Published

Jan 21, 2022

Updated

Oct 7, 2024

Affected

1 pkg

Patched

1 / 1

Exploits

1 known

EPSS Exploitation Probability

via FIRST.org ↗

0.8%probability of exploitation in next 30 days

Lower Risk51th percentile+0.45%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐍onionshare-cli

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.

Vulnerability ID: OTF-001
Vulnerability type: Improper Input Sanitization
Threat level: Elevated

Description:

The path parameter of the requested URL is not sanitized before being passed to the QT frontend.

Technical description:

The path parameter is not sanitized before being passed to the constructor of the QLabel.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/desktop/src/onionshare/tab/mode/__init__.py#L499-L509

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/desktop/src/onionshare/tab/mode/history.py#L456-L483

https://doc.qt.io/qt-5/qlabel.html#details

Warning: When passing a QString to the constructor or calling setText(), make sure to sanitize your input, as QLabel tries to guess whether it displays the text as plain text or as rich text, a subset of HTML 4 markup. You may want to call setTextFormat() explicitly, e.g. in case you expect the text to be in plain format but cannot control the text source (for instance when displaying data loaded from the Web).

This path is used in all components for displaying the server access history. This leads to a rendered HTML4 Subset (QT RichText editor) in the Onionshare frontend.

In the following example an adversary injects a crafted image file into an Onionshare instance with receive mode and renders it in the history component of the Onionshare application.

The only requirement is another visit to the shared site with the following parameter attached to the path of the URL:

<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAIAAAACUFjqAAAAFElEQVQY02Nk+M+ABzAxMIxKYwIAQC0BEwZFOw4AAAAASUVORK5CYII=' />

This will be rendered as a green square in the history tab where the path value is supposed to be (the value itself is shown at the bottom of the page).

otf-001

Possible scenarios where this could lead to remote code execution would be a 0-day in libpng or other internal image rendering (OTF-014 (page 12)) of the QT framework.

The QT documentation indicates that external files could be rendered, but we were unable to find a QT code path allowing for it.

Impact:

An adversary with knowledge of the Onion service address in public mode or with authentication in private mode can render arbitrary HTML (QT-HTML4 Subset) in the server desktop application. This requires the desktop application with rendered history, therefore the impact is only elevated.

Recommendation:

Manually define the text format of the QLabel via setTextFormat()

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐍PyPI	`onionshare-cli`	all versions	2.5

Exploits & PoCs

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

OnionShare is an open source tool that lets you securely and anonymously…

github.comNVDJan 2022

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for onionshare-cli. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update onionshare-cli to 2.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-ch22-x2v3-v6vq is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-ch22-x2v3-v6vq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-ch22-x2v3-v6vq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's [Red Team lab](https://www.opentech.fund/labs/red-team-lab/). This is an issue from that penetration test. - Vulnerability ID: OTF-001 - Vulnerability type: Improper Input Sanitization - Threat level: Elevated ## Description: The `path` parameter of the requested URL is not sanitized before being passed to the QT frontend. ## Technical description: The `path` parameter is not sanitized before

O3 Security · Impact-Aware SCA

Is GHSA-ch22-x2v3-v6vq in your dependencies?

O3 detects GHSA-ch22-x2v3-v6vq across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works