CVE-2022-47932

Vulnerability

A denial-of-service vulnerability exists in Brave Browser versions prior to 1.43.34. A remote attacker can cause a denial of service by providing a crafted HTML file that includes an ipfs:// or ipns:// URL. This issue is caused by an incomplete fix for CVE-2022-47933 [1][2][3].

Exploitation

An attacker can trigger the vulnerability by convincing a user to open a malicious HTML file, either through a direct file download or by hosting the file on a website. The attacker does not require any special network position or authentication; the user simply needs to render the file in the affected Brave Browser. The browser then attempts to process the malformed IPFS/IPNS URL, leading to the crash.

Impact

Successful exploitation results in a denial of service, causing the browser to crash. This briefly prevents the user from accessing browser features until the browser is restarted. No code execution or data compromise has been reported in the available references.

Mitigation

The vulnerability is fixed in Brave Browser version 1.43.34, released prior to the public disclosure date of December 24, 2022. Users should update to this version or later. No workarounds are documented in the references, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the current analysis.