Login Sign Up

CVE-2022-28345

7.5 HIGH

📋 TL;DR

This vulnerability in Signal for iOS allows attackers to spoof URLs using Right-to-Left Override (RTLO) characters combined with non-breaking spaces and hash characters. Attackers can create malicious links that appear to be legitimate websites (like example.com) but actually redirect to malicious destinations. Users of Signal for iOS before version 5.34 are affected.

💻 Affected Systems

Products:
  • Signal for iOS
Versions: All versions before 5.34
Operating Systems: iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to send messages with specially crafted URLs containing RTLO characters and specific subdomains.

📦 What is this software?

Signal by Signal

View all CVEs affecting Signal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be tricked into visiting malicious websites that steal credentials, install malware, or conduct financial fraud through convincing phishing attacks.

🟠

Likely Case

Successful phishing campaigns where users click spoofed links thinking they're visiting legitimate websites, potentially leading to credential theft.

🟢

If Mitigated

Users remain suspicious of all links and verify destinations before clicking, limiting successful phishing attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires sending messages to target users. Public proof-of-concept tools like RIUS demonstrate the technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.34 and later

Vendor Advisory: https://github.com/signalapp/Signal-iOS/releases

Restart Required: No

Instructions:

1. Open the App Store on iOS device 2. Search for Signal 3. Update to version 5.34 or higher 4. No restart required

🔧 Temporary Workarounds

Disable automatic URL rendering

ios

Configure Signal to not automatically render URLs in messages

User education

all

Train users to hover over links before clicking and verify URL destinations

🧯 If You Can't Patch

  • Implement email/web filtering to block messages containing RTLO characters in URLs
  • Deploy endpoint protection that warns users about potentially spoofed URLs

🔍 How to Verify

Check if Vulnerable:

Check Signal version in iOS Settings > Signal > Version. If below 5.34, vulnerable.

Check Version:

Not applicable - check via iOS Settings app

Verify Fix Applied:

Confirm Signal version is 5.34 or higher in iOS Settings > Signal > Version.

📡 Detection & Monitoring

Log Indicators:

  • Messages containing URLs with RTLO characters (U+202E)
  • URLs with unusual subdomains like gepj, txt, fdp, xcod

Network Indicators:

  • Unusual redirect patterns from Signal messages
  • Connections to unexpected domains following Signal links

SIEM Query:

search 'U+202E' OR 'RTLO' OR 'right-to-left override' in message logs

📊 Metadata

CVE ID: CVE-2022-28345
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-74
Published: April 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28345, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)