Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐍 PyPI

GHSA-gjj5-998g-v36v

MEDIUM

Improper Access Control in Onionshare

Also known asCVE-2022-21692PYSEC-2022-43
Published
Jan 21, 2022
Updated
Oct 7, 2024
Affected
1 pkg
Patched
1 / 1
Exploits
1 known

EPSS Exploitation Probability

via FIRST.org ↗
0.8%probability of exploitation in next 30 days
Lower Risk51th percentile+0.62%
0.00%0.42%0.85%1.27%0.2%0.8%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐍onionshare-cli

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's Red Team lab. This is an issue from that penetration test.

  • Vulnerability ID: OTF-003
  • Vulnerability type: Improper Access Control
  • Threat level: Moderate

Description:

Anyone with access to the chat environment can write messages disguised as another chat participant.

Technical description:

Prerequisites:

  • Alice and Bob are legitimate users
  • A third user has access to the chat environment

otf-003-a

This screenshot shows Alice (glimpse-depress) and Bob (blinker-doorpost) joined a chatroom and are the only participants in the chatroom. Then the non-listed user squad-nursing writes a message in the chatroom without being visible in the list of users. The sending of the message itself is not required but was done here to show the initial access. The non-listed participant now renames himself to Bob and writes another message, seemingly coming from Bob.

This can be reproduced by slightly modifying the client-side JavaScript. The joined emit needs to be removed from the socket.on(connect) event handler. Therefore a client is not listed in the userlist and has no active session.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/resources/static/js/chat.js#L16-L18

This can be done either via a crafted client or runtime modification of the chat.js script in the browser's internal debugger.

It is still possible to call the text method and send text to the chat via websocket.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L131-L139

It is also possible to call the update_username function and choose an existing username from the chat.

https://github.com/onionshare/onionshare/blob/d08d5f0f32f755f504494d80794886f346fbafdb/cli/onionshare_cli/web/chat_mode.py#L141-L162

Afterwards the hidden user can send messages that are displayed as coming from the impersonated user. There is no way to distinguish between the fake and original message.

Impact:

An adversary with access to the chat environment can impersonate existing chat participants and write messages but not read the conversation. The similar exploit described in OTF-004 (page 19) has only slightly more requirements but also allows for reading.

Recommendation:

  • Implement proper session handling

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐍PyPIonionshare-cli2.3&&< 2.52.5
Exploits & PoCs
1

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

OnionShare is an open source tool that lets you securely and anonymously…

github.comNVDJan 2022

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for onionshare-cli. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update onionshare-cli to 2.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-gjj5-998g-v36v is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-gjj5-998g-v36v is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-gjj5-998g-v36v. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Between September 26, 2021 and October 8, 2021, [Radically Open Security](https://www.radicallyopensecurity.com/) conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund's [Red Team lab](https://www.opentech.fund/labs/red-team-lab/). This is an issue from that penetration test. - Vulnerability ID: OTF-003 - Vulnerability type: Improper Access Control - Threat level: Moderate ## Description: Anyone with access to the chat environment can write messages disguised as another chat participant. ## Technical description: Prerequisites: - Alice and Bob are legitimate
O3 Security · Impact-Aware SCA

Is GHSA-gjj5-998g-v36v in your dependencies?

O3 detects GHSA-gjj5-998g-v36v across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works