Kurnevsky

**Name of the Vulnerable Software and Affected Versions** toxcore versions prior to 0.2.2 **Description** The issue allows a remote attacker to discover a target user's IP address by positioning themselves close to the target's Tox Id in the DHT, guessing the target's DHT public key, creating a DHT node with a public key close to it, and finally onion-routing a NAT Ping Request to the target. This is possible because the Onion module in toxcore does not restrict which packets can be onion-routed. **Recommendations** For versions prior to 0.2.2, update to version 0.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Onion module until a patch is available. Avoid using the Onion module for sensitive communications until the issue is resolved.