Moderate severityNVD Advisory· Published Jan 18, 2022· Updated Apr 23, 2025

Username spoofing in OnionShare

CVE-2022-21696

Description

OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions it is possible to change the username to that of another chat participant with an additional space character at the end of the name string. An adversary with access to the chat environment can use the rename feature to impersonate other participants by adding whitespace characters at the end of the username.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
onionshare-cliPyPI	>= 2.3, < 2.5	2.5

Affected products

Onionshare/Onionsharev5
Range: < 2.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-68vr-8f46-vc9fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-21696ghsaADVISORY
github.com/onionshare/onionshare/releases/tag/v2.5ghsax_refsource_MISCWEB
github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9fghsax_refsource_CONFIRMWEB
github.com/pypa/advisory-database/tree/main/vulns/onionshare-cli/PYSEC-2022-47.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000