Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-30334

CVE-2022-30334: Brave Browser Information Disclosure Flaw

CVE-2022-30334 is an information disclosure flaw in Brave Browser that leaks .onion URLs in Referer and Origin headers when using Private Windows with Tor. This article covers technical details, affected versions, and fixes.

Updated:

CVE-2022-30334 Overview

CVE-2022-30334 is an information disclosure vulnerability in the Brave browser before version 1.34. When users browse with a Private Window with Tor Connectivity, the browser leaks .onion URLs through HTTP Referer and Origin headers. This behavior undermines the anonymity expectation users associate with Tor-based browsing modes.

The issue falls under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Brave addressed the leak in version 1.34, but its documentation still notes that Private Windows with Tor Connectivity use Tor only as a proxy and do not implement most of the privacy protections of the Tor Browser.

Critical Impact

Hidden service .onion URLs visited from Brave's Tor-enabled private window can be exposed to third-party origins via referrer headers, weakening the de-anonymization protection users expect.

Affected Products

  • Brave Browser versions prior to 1.34
  • Brave Private Windows with Tor Connectivity feature
  • Desktop builds of the Brave browser that ship the Tor proxy mode

Discovery Timeline

  • 2022-05-07 - CVE-2022-30334 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-30334

Vulnerability Analysis

The vulnerability is an information disclosure issue affecting Brave's Private Window with Tor Connectivity. When a user navigates from a .onion resource to another origin, Brave includes the originating .onion URL in the outbound Referer and Origin headers. These headers then traverse exit nodes or clearnet servers, exposing the hidden service address.

This exposure breaks a core privacy assumption of using Tor-mode browsing: that the identity of visited hidden services should not leak to unrelated origins. Tor Browser mitigates this class of leak by stripping or rewriting referrers when crossing origin boundaries. Brave's Tor mode, by contrast, behaved like a standard private window using Tor only as a network proxy.

Root Cause

The root cause is the absence of referrer-policy enforcement specific to Tor-enabled private windows. Brave's implementation reused the default Chromium referrer behavior, which propagates the originating URL across cross-origin navigations and subresource requests. No additional sanitization stripped sensitive .onion hostnames before transmission.

Attack Vector

An attacker controlling or observing a destination web server can passively collect .onion referrers from users who click outbound links from hidden services. No user interaction beyond normal browsing is required. Cross-origin embedded resources, such as images or scripts loaded from clearnet, can also trigger the leak through the Origin or Referer headers.

The vulnerability is exploitable over the network without authentication. Refer to the HackerOne Vulnerability Report and the GitHub Issue Report for the technical disclosure details.

Detection Methods for CVE-2022-30334

Indicators of Compromise

  • HTTP request logs on clearnet web servers containing Referer header values with the .onion top-level domain.
  • Web analytics or access logs showing Origin headers with .onion hostnames from users in private/Tor mode.
  • Outbound proxy or TLS inspection logs flagging cross-origin requests carrying onion-service referrers.

Detection Strategies

  • Inventory Brave browser installations across managed endpoints and identify versions earlier than 1.34.
  • Audit web server access logs under organizational control for .onion referrer strings as evidence of leakage.
  • Monitor for browser binaries running with command-line flags indicating Tor private window mode on unpatched versions.

Monitoring Recommendations

  • Track Brave version compliance through endpoint management or software inventory tooling.
  • Alert on unexpected .onion strings appearing in HTTP request metadata captured by web proxies.
  • Review user-agent and version telemetry to confirm browsers receive scheduled updates from Brave's release channel.

How to Mitigate CVE-2022-30334

Immediate Actions Required

  • Upgrade Brave to version 1.34 or later on all endpoints that may use Private Window with Tor Connectivity.
  • Communicate to users that Brave's Tor mode is not a substitute for Tor Browser when threat models require strict anonymity.
  • For workflows requiring strong hidden-service privacy, direct users to the official Tor Browser instead.

Patch Information

Brave fixed the leak in the GitHub Pull Request brave-core#10760, which ships in Brave 1.34 and later. Refer to the Brave Support Article on Private Windows with Tor Connectivity for current guidance on the feature's privacy boundaries.

Workarounds

  • Disable use of Brave's Private Window with Tor Connectivity until the browser is updated to 1.34 or newer.
  • Use the Tor Browser for any browsing of hidden services where referrer leakage would be unacceptable.
  • Configure restrictive referrer policies on organization-controlled web properties to limit downstream exposure of sensitive URLs.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.