High severityNVD Advisory· Published Dec 7, 2018· Updated Sep 16, 2024

CVE-2018-19960

Description

The debug_mode function in web/web.py in OnionShare through 1.3.1, when --debug is enabled, uses the /tmp/onionshare_server.log pathname for logging, which might allow local users to overwrite files or obtain sensitive information by using this pathname.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OnionShare debug mode writes log to predictable /tmp/onionshare_server.log, enabling local file overwrite or info disclosure.

Vulnerability

The debug_mode function in web/web.py in OnionShare through version 1.3.1 uses a hardcoded path /tmp/onionshare_server.log for logging when --debug is enabled. This predictable location allows local users to either overwrite arbitrary files (by placing a symlink at that path) or read sensitive information contained in the log file. The issue is present in all versions up to and including 1.3.1 [1].

Exploitation

A local attacker with write access to the /tmp directory can create a symbolic link from /tmp/onionshare_server.log to any file writable by the OnionShare process. When OnionShare runs in debug mode, the log output will overwrite the target file. Alternatively, an attacker can read the log file to obtain potentially sensitive information such as HTTP request details or error messages [1]. No authentication is required; only local access to the system is needed.

Impact

Successful exploitation allows a local attacker to either overwrite arbitrary files on the system (with the privileges of the OnionShare user) or gain access to sensitive information logged during the session. This could lead to privilege escalation or data leakage depending on the content of the overwritten file or log data [1].

Mitigation

The vulnerability was addressed in two separate commits: a hotfix for the 1.3.x branch (commit 4da5e15581a69509e7bfc6c4d0742052e0b61b24) that disables the debug mode function entirely [3], and a proper fix for the 2.x branch (commit aa5fdde6a4e4de7f113e01a3b446dcc14dcecb1a) that writes logs to platform-specific user directories instead of /tmp [2]. Users are advised to upgrade to OnionShare 1.3.2 or later, or to a version containing either commit. If upgrading is not possible, avoid using the --debug flag [1][2][3].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
onionshare-cliPyPI	<= 1.3.1	—

Affected products

ghsa-coords
pkg:pypi/onionshare-cli
Range: <= 1.3.1

Patches

aa5fdde6a4e4

Merge pull request #839 from micahflee/837_2.x_cve-2018-19960

https://github.com/onionshare/onionshareMicah LeeDec 11, 2018via ghsa

commit

1 file changed · +14 −3

onionshare/web/web.py+14 −3 modified

@@ -184,9 +184,20 @@ def debug_mode(self):
         """
         Turn on debugging mode, which will log flask errors to a debug file.
         """
-        temp_dir = tempfile.gettempdir()
-        log_handler = logging.FileHandler(
-            os.path.join(temp_dir, 'onionshare_server.log'))
+        if self.common.platform == 'Windows':
+            try:
+                appdata = os.environ['APPDATA']
+                flask_debug_filename = '{}\\OnionShare\\flask_debug.log'.format(appdata)
+            except:
+                # If for some reason we don't have the 'APPDATA' environment variable
+                # (like running tests in Linux while pretending to be in Windows)
+                flask_debug_filename = os.path.expanduser('~/.config/onionshare/flask_debug.log')
+        elif self.common.platform == 'Darwin':
+            flask_debug_filename = os.path.expanduser('~/Library/Application Support/OnionShare/flask_debug.log')
+        else:
+            flask_debug_filename = os.path.expanduser('~/.config/onionshare/flask_debug.log')
+
+        log_handler = logging.FileHandler(flask_debug_filename)
         log_handler.setLevel(logging.WARNING)
         self.app.logger.addHandler(log_handler)

4da5e15581a6

Merge pull request #838 from micahflee/837_hotfix_cve-2018-19960

https://github.com/onionshare/onionshareMicah LeeDec 11, 2018via ghsa

commit

1 file changed · +7 −0

onionshare/web.py+7 −0 modified

@@ -178,12 +178,19 @@ def set_gui_mode():
 def debug_mode():
     """
     Turn on debugging mode, which will log flask errors to a debug file.
+
+    This is commented out (it's only needed for debugging, and not needed
+    for OnionShare 1.3.2) as a hotfix to resolve this issue:
+    https://github.com/micahflee/onionshare/issues/837
+    """
+    pass
     """
     temp_dir = tempfile.gettempdir()
     log_handler = logging.FileHandler(
         os.path.join(temp_dir, 'onionshare_server.log'))
     log_handler.setLevel(logging.WARNING)
     app.logger.addHandler(log_handler)
+    """
 
 
 def check_slug_candidate(slug_candidate, slug_compare=None):

Vulnerability mechanics

Root cause

"The application uses a predictable, globally-writable path in the system temporary directory for logging sensitive information."

Attack vector

When the `--debug` flag is enabled, the application creates a log file at `/tmp/onionshare_server.log`. Because this location is globally writable and predictable, a local attacker can pre-create this file to perform symlink attacks or gain unauthorized access to sensitive information written by the application [patch_id=21105]. This vulnerability affects OnionShare through version 1.3.1.

Affected code

The `debug_mode` function in `web/web.py` is responsible for the insecure logging behavior [patch_id=21105]. This function previously utilized a predictable path in the system's temporary directory for storing log files.

What the fix does

The vulnerability was addressed by moving the log file from the shared `/tmp` directory to a secure, user-specific configuration directory [patch_id=21105]. Alternatively, the logging functionality was disabled entirely in a separate hotfix to prevent the insecure file creation [patch_id=21104]. These changes ensure that log files are no longer accessible or manipulatable by other local users.

Preconditions

inputThe application must be run with the --debug flag enabled.

Generated on May 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-pwjq-6wrh-5w8qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-19960ghsaADVISORY
bugs.debian.org/915859ghsax_refsource_MISCWEB
github.com/onionshare/onionshare/commit/4da5e15581a69509e7bfc6c4d0742052e0b61b24ghsaWEB
github.com/onionshare/onionshare/commit/aa5fdde6a4e4de7f113e01a3b446dcc14dcecb1aghsaWEB
github.com/onionshare/onionshare/issues/837ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000