Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by duckduckgo
CVE-2025-48464 (GCVE-0-2025-48464)
Vulnerability from cvelistv5 – Published: 2025-10-08 06:50 – Updated: 2025-10-08 17:27
VLAI
Title
Exposure of Sensitive Information
Summary
Successful exploitation of the vulnerability could allow an unauthenticated attacker to gain access to a victim’s Sync account data such as account credentials and email protection information.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| DuckDuckGo | DuckDuckGo Browser |
Affected:
5.246.0 and below
|
Date Public
2025-10-08 06:49
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-08T17:23:36.909136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T17:27:07.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "DuckDuckGo Browser",
"vendor": "DuckDuckGo",
"versions": [
{
"status": "affected",
"version": "5.246.0 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Leng Kang Hao"
}
],
"datePublic": "2025-10-08T06:49:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Successful exploitation of the vulnerability could allow an unauthenticated attacker to gain access to a victim\u2019s Sync account data such as account credentials and email protection information.\n\n\u003cbr\u003e"
}
],
"value": "Successful exploitation of the vulnerability could allow an unauthenticated attacker to gain access to a victim\u2019s Sync account data such as account credentials and email protection information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T06:50:11.081Z",
"orgId": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4",
"shortName": "CSA"
},
"references": [
{
"url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-097/"
},
{
"url": "https://tuxplorer.com/posts/dont-leave-me-outdated/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users of affected product versions are advised to update to DuckDuckGo version 5.247.0 immediately.\n\n\u003cbr\u003e"
}
],
"value": "Users of affected product versions are advised to update to DuckDuckGo version 5.247.0 immediately."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Exposure of Sensitive Information",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5f57b9bf-260d-4433-bf07-b6a79e9bb7d4",
"assignerShortName": "CSA",
"cveId": "CVE-2025-48464",
"datePublished": "2025-10-08T06:50:11.081Z",
"dateReserved": "2025-05-22T09:41:25.401Z",
"dateUpdated": "2025-10-08T17:27:07.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44683 (GCVE-0-2021-44683)
Vulnerability from cvelistv5 – Published: 2022-03-25 21:13 – Updated: 2024-08-04 04:25
VLAI
Summary
The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cybercitadel.com/remote-address-bar-s… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.875Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cybercitadel.com/remote-address-bar-spoofing-and-html-injection-disclosures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker\u0027s web site."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-25T21:13:40.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cybercitadel.com/remote-address-bar-spoofing-and-html-injection-disclosures/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-44683",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker\u0027s web site."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cybercitadel.com/remote-address-bar-spoofing-and-html-injection-disclosures/",
"refsource": "MISC",
"url": "https://www.cybercitadel.com/remote-address-bar-spoofing-and-html-injection-disclosures/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-44683",
"datePublished": "2022-03-25T21:13:40.000Z",
"dateReserved": "2021-12-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:25:16.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15502 (GCVE-0-2020-15502)
Vulnerability from cvelistv5 – Published: 2020-07-02 10:59 – Updated: 2024-08-04 13:15 Disputed
VLAI
Summary
The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated "the favicon service adheres to our strict privacy policy.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/duckduckgo/Android/blob/e2f2d5… | x_refsource_MISC |
| https://github.com/duckduckgo/iOS/blob/1ae03d7221… | x_refsource_MISC |
| https://news.ycombinator.com/item?id=23708166 | x_refsource_MISC |
| https://github.com/duckduckgo/Android/issues/527 | x_refsource_MISC |
| https://news.ycombinator.com/item?id=23711597 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-15502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T19:55:30.362437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T19:55:36.602Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:15:20.721Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=23708166"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/duckduckgo/Android/issues/527"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=23711597"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated \"the favicon service adheres to our strict privacy policy."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-02T10:59:20.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://news.ycombinator.com/item?id=23708166"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/duckduckgo/Android/issues/527"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://news.ycombinator.com/item?id=23711597"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15502",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, and through 7.47.1.0 for iOS, sends hostnames of visited web sites within HTTPS .ico requests to servers in the duckduckgo.com domain, which might make visit data available temporarily at a Potentially Unwanted Endpoint. NOTE: the vendor has stated \"the favicon service adheres to our strict privacy policy.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88",
"refsource": "MISC",
"url": "https://github.com/duckduckgo/Android/blob/e2f2d54a6b4452277467db403a3546512401b493/app/src/main/java/com/duckduckgo/app/global/UriExtension.kt#L83-L88"
},
{
"name": "https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100",
"refsource": "MISC",
"url": "https://github.com/duckduckgo/iOS/blob/1ae03d7221180bd6791cf6f7f06922a96335cf75/Core/AppUrls.swift#L98-L100"
},
{
"name": "https://news.ycombinator.com/item?id=23708166",
"refsource": "MISC",
"url": "https://news.ycombinator.com/item?id=23708166"
},
{
"name": "https://github.com/duckduckgo/Android/issues/527",
"refsource": "MISC",
"url": "https://github.com/duckduckgo/Android/issues/527"
},
{
"name": "https://news.ycombinator.com/item?id=23711597",
"refsource": "MISC",
"url": "https://news.ycombinator.com/item?id=23711597"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15502",
"datePublished": "2020-07-02T10:59:20.000Z",
"dateReserved": "2020-07-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:15:20.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6849 (GCVE-0-2018-6849)
Vulnerability from cvelistv5 – Published: 2018-04-01 18:00 – Updated: 2024-08-05 06:17
VLAI
Summary
In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/rapid7/metasploit-framework/pu… | x_refsource_MISC |
| https://voidsec.com/vpn-leak/ | x_refsource_MISC |
| https://www.exploit-db.com/exploits/44403/ | exploitx_refsource_EXPLOIT-DB |
| https://news.ycombinator.com/item?id=16699270 | x_refsource_MISC |
| https://datarift.blogspot.com/p/private-ip-leakag… | x_refsource_MISC |
Date Public
2018-04-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:17:15.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/9538"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://voidsec.com/vpn-leak/"
},
{
"name": "44403",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/44403/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=16699270"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://datarift.blogspot.com/p/private-ip-leakage-using-webrtc.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-07T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rapid7/metasploit-framework/pull/9538"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://voidsec.com/vpn-leak/"
},
{
"name": "44403",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/44403/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://news.ycombinator.com/item?id=16699270"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://datarift.blogspot.com/p/private-ip-leakage-using-webrtc.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6849",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site that attempts to gather complete client information (such as https://ip.voidsec.com), the browser can disclose a private IP address in a STUN request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rapid7/metasploit-framework/pull/9538",
"refsource": "MISC",
"url": "https://github.com/rapid7/metasploit-framework/pull/9538"
},
{
"name": "https://voidsec.com/vpn-leak/",
"refsource": "MISC",
"url": "https://voidsec.com/vpn-leak/"
},
{
"name": "44403",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/44403/"
},
{
"name": "https://news.ycombinator.com/item?id=16699270",
"refsource": "MISC",
"url": "https://news.ycombinator.com/item?id=16699270"
},
{
"name": "https://datarift.blogspot.com/p/private-ip-leakage-using-webrtc.html",
"refsource": "MISC",
"url": "https://datarift.blogspot.com/p/private-ip-leakage-using-webrtc.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6849",
"datePublished": "2018-04-01T18:00:00.000Z",
"dateReserved": "2018-02-08T00:00:00.000Z",
"dateUpdated": "2024-08-05T06:17:15.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}