CVE-2021-21323
MEDIUMBrave 1.17.73-1.20.103 - DNS Request Leak via CNAME Adblocking Bypass
Title source: llmDescription
Brave is an open source web browser with a focus on privacy and security. In Brave versions 1.17.73-1.20.103, the CNAME adblocking feature added in Brave 1.17.73 accidentally initiated DNS requests that bypassed the Brave Tor proxy. Users with adblocking enabled would leak DNS requests from Tor windows to their DNS provider. (DNS requests that were not initiated by CNAME adblocking would go through Tor as expected.) This is fixed in Brave version 1.20.108
References (5)
Core 5
Core References
Third Party Advisory x_refsource_confirm
https://github.com/brave/brave-browser/security/advisories/GHSA-mqjf-9x5g-2rv6
Patch, Third Party Advisory x_refsource_misc
https://github.com/brave/brave-browser/issues/13527
Patch, Third Party Advisory x_refsource_misc
https://github.com/brave/brave-core/pull/7769
Patch, Third Party Advisory x_refsource_misc
https://github.com/brave/brave-core/commit/12fe321eaad8acc1cbd1d70b4128f687777bcf15
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1077022
Scores
CVSS v3
4.3
EPSS
0.0195
EPSS Percentile
77.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
brave/brave
1.17.73 - 1.20.103
Published
Feb 23, 2021
Tracked Since
Feb 18, 2026