CVE-2022-30334 Overview
CVE-2022-30334 is an information disclosure vulnerability in the Brave browser before version 1.34. When users browse with a Private Window with Tor Connectivity, the browser leaks .onion URLs through HTTP Referer and Origin headers. This behavior undermines the anonymity expectation users associate with Tor-based browsing modes.
The issue falls under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. Brave addressed the leak in version 1.34, but its documentation still notes that Private Windows with Tor Connectivity use Tor only as a proxy and do not implement most of the privacy protections of the Tor Browser.
Critical Impact
Hidden service .onion URLs visited from Brave's Tor-enabled private window can be exposed to third-party origins via referrer headers, weakening the de-anonymization protection users expect.
Affected Products
- Brave Browser versions prior to 1.34
- Brave Private Windows with Tor Connectivity feature
- Desktop builds of the Brave browser that ship the Tor proxy mode
Discovery Timeline
- 2022-05-07 - CVE-2022-30334 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-30334
Vulnerability Analysis
The vulnerability is an information disclosure issue affecting Brave's Private Window with Tor Connectivity. When a user navigates from a .onion resource to another origin, Brave includes the originating .onion URL in the outbound Referer and Origin headers. These headers then traverse exit nodes or clearnet servers, exposing the hidden service address.
This exposure breaks a core privacy assumption of using Tor-mode browsing: that the identity of visited hidden services should not leak to unrelated origins. Tor Browser mitigates this class of leak by stripping or rewriting referrers when crossing origin boundaries. Brave's Tor mode, by contrast, behaved like a standard private window using Tor only as a network proxy.
Root Cause
The root cause is the absence of referrer-policy enforcement specific to Tor-enabled private windows. Brave's implementation reused the default Chromium referrer behavior, which propagates the originating URL across cross-origin navigations and subresource requests. No additional sanitization stripped sensitive .onion hostnames before transmission.
Attack Vector
An attacker controlling or observing a destination web server can passively collect .onion referrers from users who click outbound links from hidden services. No user interaction beyond normal browsing is required. Cross-origin embedded resources, such as images or scripts loaded from clearnet, can also trigger the leak through the Origin or Referer headers.
The vulnerability is exploitable over the network without authentication. Refer to the HackerOne Vulnerability Report and the GitHub Issue Report for the technical disclosure details.
Detection Methods for CVE-2022-30334
Indicators of Compromise
- HTTP request logs on clearnet web servers containing Referer header values with the .onion top-level domain.
- Web analytics or access logs showing Origin headers with .onion hostnames from users in private/Tor mode.
- Outbound proxy or TLS inspection logs flagging cross-origin requests carrying onion-service referrers.
Detection Strategies
- Inventory Brave browser installations across managed endpoints and identify versions earlier than 1.34.
- Audit web server access logs under organizational control for .onion referrer strings as evidence of leakage.
- Monitor for browser binaries running with command-line flags indicating Tor private window mode on unpatched versions.
Monitoring Recommendations
- Track Brave version compliance through endpoint management or software inventory tooling.
- Alert on unexpected .onion strings appearing in HTTP request metadata captured by web proxies.
- Review user-agent and version telemetry to confirm browsers receive scheduled updates from Brave's release channel.
How to Mitigate CVE-2022-30334
Immediate Actions Required
- Upgrade Brave to version 1.34 or later on all endpoints that may use Private Window with Tor Connectivity.
- Communicate to users that Brave's Tor mode is not a substitute for Tor Browser when threat models require strict anonymity.
- For workflows requiring strong hidden-service privacy, direct users to the official Tor Browser instead.
Patch Information
Brave fixed the leak in the GitHub Pull Request brave-core#10760, which ships in Brave 1.34 and later. Refer to the Brave Support Article on Private Windows with Tor Connectivity for current guidance on the feature's privacy boundaries.
Workarounds
- Disable use of Brave's Private Window with Tor Connectivity until the browser is updated to 1.34 or newer.
- Use the Tor Browser for any browsing of hidden services where referrer leakage would be unacceptable.
- Configure restrictive referrer policies on organization-controlled web properties to limit downstream exposure of sensitive URLs.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
