CVE-2022-30334 Overview
CVE-2022-30334 is an information leakage vulnerability in the Brave browser affecting versions prior to 1.34. When users utilize a Private Window with Tor Connectivity, the browser inadvertently leaks .onion URLs through HTTP Referer and Origin headers. This exposes sensitive Tor hidden service addresses to third parties, potentially compromising user anonymity and the privacy guarantees expected when browsing through the Tor network.
Critical Impact
Users expecting anonymity when visiting .onion sites through Brave's Tor integration may have their browsing destinations exposed through HTTP headers, undermining the core privacy purpose of using Tor connectivity.
Affected Products
- Brave Browser versions prior to 1.34
- Brave Private Window with Tor Connectivity feature
- All platforms running affected Brave versions
Discovery Timeline
- 2022-05-07 - CVE-2022-30334 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-30334
Vulnerability Analysis
This vulnerability falls under the category of Information Leakage (CWE-200), specifically affecting privacy-sensitive browsing scenarios. When a user navigates from a .onion site to another destination while using Brave's Private Window with Tor Connectivity, the browser fails to properly sanitize or strip the Referer and Origin HTTP headers. These headers inadvertently contain the full .onion URL, revealing to destination servers and any network observers the Tor hidden service the user was previously visiting.
The issue is particularly significant because users explicitly choosing Tor connectivity expect enhanced privacy protections. Brave's own documentation acknowledges the limitation, stating that "Private Windows with Tor Connectivity in Brave are just regular private windows that use Tor as a proxy" and that "Brave does NOT implement most of the privacy protections from Tor Browser."
Root Cause
The root cause lies in Brave's incomplete implementation of privacy protections for Tor-connected browsing sessions. Unlike the dedicated Tor Browser, which implements comprehensive header sanitization and referrer stripping policies, Brave's Tor integration did not properly handle the removal or modification of Referer and Origin headers when navigating from .onion domains. This oversight allowed sensitive hidden service addresses to leak in standard HTTP request headers.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction beyond normal browsing behavior. An attacker operating a destination website, or any entity capable of inspecting HTTP traffic (such as a malicious exit node or network observer), can passively collect leaked .onion URLs from incoming request headers.
The exploitation scenario involves:
- A user opens a Private Window with Tor Connectivity in Brave
- The user navigates to a .onion hidden service
- The user clicks a link or navigates to another website (clearnet or another .onion)
- The destination receives the original .onion URL in the Referer header
- The attacker correlates the .onion address with the user's activity
This vulnerability does not require active exploitation—the information leakage occurs automatically during normal browsing workflows.
Detection Methods for CVE-2022-30334
Indicators of Compromise
- Presence of .onion URLs in web server access logs from Referer headers
- HTTP requests originating from Brave browser with Tor exit node IPs containing .onion references
- Network traffic analysis revealing .onion strings in HTTP headers
Detection Strategies
- Monitor web application logs for Referer headers containing .onion domain patterns
- Implement network inspection rules to detect .onion strings in HTTP headers at network boundaries
- Review browser version information to identify users running Brave versions prior to 1.34
- Utilize endpoint detection to flag installations of vulnerable Brave versions
Monitoring Recommendations
- Establish alerts for unusual patterns in Referer header analysis
- Deploy SentinelOne endpoint agents to inventory browser versions across the organization
- Monitor for security advisories related to browser privacy features
- Implement traffic analysis solutions capable of inspecting HTTP headers for sensitive data exposure
How to Mitigate CVE-2022-30334
Immediate Actions Required
- Update Brave browser to version 1.34 or later immediately
- Consider using the dedicated Tor Browser for sensitive .onion browsing requiring full privacy protections
- Review Brave's documentation on the limitations of Private Windows with Tor Connectivity
- Educate users about the privacy differences between Brave's Tor feature and the full Tor Browser
Patch Information
Brave addressed this vulnerability in version 1.34. The fix was implemented through GitHub Pull Request #10760, which added proper header sanitization to prevent .onion URL leakage in Referer and Origin headers. Users should ensure their Brave installation is updated to version 1.34 or later. For organizations, deploying automated browser update mechanisms is recommended to ensure all endpoints receive the security patch.
Additional details about the vulnerability can be found in the GitHub Issue Report and the HackerOne Report #1337624.
Workarounds
- Use the standalone Tor Browser instead of Brave's Private Window with Tor Connectivity for visiting .onion sites
- Manually disable Referer headers via browser extensions or configuration when using vulnerable versions
- Avoid clicking external links while browsing .onion sites in affected Brave versions
- Implement network-level filtering to strip Referer headers from outbound requests
# Verify Brave version on Linux/macOS
brave --version
# Update Brave browser via package manager (Debian/Ubuntu example)
sudo apt update && sudo apt upgrade brave-browser
# For Windows, update through Brave's built-in updater
# Menu > Help > About Brave > Check for updates
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
