cvedb.io
CVE-2022-28345
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2022-04-15T06:15:06.597 · Last modified 2026-06-17T04:38:24.383

Summary

The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.

Affected products

signal — signal

Does this affect you?

Add your gear to cvedb and we'll alert you only when signal ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.