CVE-2021-45884

Vulnerability

In Brave Desktop versions 1.17 through 1.33 before 1.33.106, the CNAME-based adblocking feature (also known as CNAME uncloaking) combined with a proxying extension (such as Proxy SwitchyOmega) configured with a SOCKS5 fallback causes additional DNS queries to be sent outside the proxy using the system's standard DNS settings. This is an incomplete fix for [CVE-2021-21323] and [CVE-2021-22916] [1]. The code path is reachable when both CNAME uncloaking is enabled (default) and a proxy extension with SOCKS fallback is active.

Exploitation

An attacker with network-level access to the victim's DNS traffic can observe DNS queries that should have been tunneled through the SOCKS proxy. The victim must be running a vulnerable Brave version with CNAME adblocking enabled and a proxying extension that has a SOCKS fallback configured. No authentication or user interaction beyond the initial browser/extension setup is required; the DNS leaks occur automatically when the browser resolves domain names for which CNAME cloaking is used by ad networks [1].

Impact

Successful exploitation leads to information disclosure: the attacker can see DNS query patterns revealing which domains the user visits, defeating the privacy protection that the SOCKS proxy was intended to provide [1][3]. This leaks metadata that could be used for user tracking or censorship bypass identification, although the actual HTTP/S traffic remains within the proxy tunnel.

Mitigation

The fix was released in Brave Desktop version 1.33.106 on or around the publication date [2]. The patch disables CNAME uncloaking when a proxy extension with a socks fallback is detected [1]. Users should update to the latest version of Brave. No workaround is available if the browser cannot be updated, as the vulnerability stems from the interaction of built-in features and extension functionality.