CVE-2022-21694 is a vulnerability classified under CWE-732, which pertains to incorrect permission assignment for critical resources in the OnionShare application. OnionShare is an open-source tool designed to facilitate secure and anonymous file sharing, website hosting, and chat functionalities over the Tor network. The vulnerability specifically affects versions of OnionShare prior to 2.5. The issue arises in the website hosting mode of OnionShare, where a hardened Content Security Policy (CSP) is applied globally to block scripts and external resources such as fonts and images. However, this CSP cannot be configured on a per-page basis, which limits the flexibility of the security controls and potentially leads to incorrect permission assignments for critical resources. This misconfiguration could allow unauthorized access or exposure of sensitive resources that should be restricted, undermining the confidentiality and integrity of the hosted content. Although no known exploits have been reported in the wild, the vulnerability indicates a design limitation that could be leveraged by an attacker to bypass security controls, especially in scenarios where JavaScript or external resources are necessary for legitimate website functionality. The lack of fine-grained CSP configuration means that either security is weakened to allow these resources, or the resources are blocked, impacting usability and security posture. The vulnerability does not require authentication or user interaction to be exploited, but it is limited to the context of OnionShare’s website hosting feature. Since OnionShare operates over the Tor network, the threat actor would likely need to have access to the OnionShare service instance or the hosted content to exploit this vulnerability.

For European organizations using OnionShare to share sensitive files or host internal websites anonymously, this vulnerability could lead to unauthorized access or leakage of critical resources due to improper permission settings. The inability to configure CSP per page may force organizations to either disable strict security policies or accept limited functionality, potentially exposing them to cross-site scripting (XSS) or data exposure risks. Given OnionShare’s use in privacy-focused communications, exploitation could compromise confidentiality and integrity of shared data, which is particularly concerning for sectors handling sensitive information such as legal, healthcare, and governmental bodies. The impact on availability is minimal as the vulnerability does not directly cause service disruption. However, the reputational damage and potential regulatory consequences under GDPR for data leakage could be significant. Since OnionShare is often used by privacy-conscious users and activists, European NGOs and civil society organizations might be disproportionately affected. The lack of known exploits reduces immediate risk, but the vulnerability represents a latent risk that could be exploited if attackers gain access to the hosting environment.

European organizations should upgrade OnionShare to version 2.5 or later, where this vulnerability is addressed. Until upgrading is possible, organizations should avoid hosting websites requiring JavaScript or external resources on OnionShare’s website mode to prevent weakening the CSP. Implementing additional network-level access controls to restrict who can access OnionShare services is recommended to reduce exposure. Organizations should also monitor OnionShare instances for unusual access patterns or attempts to retrieve restricted resources. For critical use cases, consider isolating OnionShare hosting environments and employing application-layer firewalls that can enforce granular resource permissions beyond the built-in CSP. Additionally, organizations should educate users about the limitations of OnionShare’s website mode and encourage the use of alternative secure file sharing methods when dynamic web content is necessary. Regular audits of permissions and CSP configurations should be conducted to ensure no inadvertent exposure occurs.