CVE-2022-21688

Name of the Vulnerable Software and Affected Versions OnionShare versions prior to 2.5

Description OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. Affected versions of the desktop application were found to be vulnerable to denial of service via an undisclosed vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB memory consumption and this can be triggered multiple times. To be abused, this vulnerability requires rendering in the history tab, so some user interaction is required. An adversary with knowledge of the Onion service address in public mode or with authentication in private mode can perform a Denial of Service attack, which quickly results in out-of-memory for the server.

Recommendations Update to version 2.5 to resolve the issue. As a temporary workaround, consider disabling the rendering of images in the history tab until a patch is available. Monitor for upstream fix and apply it when available.