---

Syncthing is an open-source program for synchronizing files between your devices. Its mission is to keep your files in sync, encrypted, and private. But in December 2022, a serious security issue—CVE-2022-46165—was discovered. It allowed attackers to execute scripts in your browser just by syncing malicious files or devices.

This post explains how this vulnerability worked, its dangers, code-level details, and how to stay safe.

What is CVE-2022-46165?

CVE-2022-46165 is a "Stored Cross Site Scripting" (XSS) vulnerability in Syncthing, affecting all versions before 1.23.5.

How does it work?

It’s simple but dangerous:  
If you sync with a compromised or untrusted Syncthing device, that device can send you a file or folder whose name contains JavaScript code or HTML. When you open Syncthing’s web interface and hover your mouse over some of these names in your folder settings, the embedded script could run in your browser—with the same access you have.

Where did the vulnerability happen?

Syncthing’s WebUI (the web dashboard you use to manage folders & devices) did not properly sanitize file, folder, or device names when rendering them as HTML.

For example, a file named

"><script>alert('Hacked!')</script>

would appear untouched in the folder list panel. If you hovered or interacted with it, the script would execute.

Malicious file names or device names could carry this payload. Since the script is "stored" from the remote attacker and only needs you to access web interface, this XSS is very dangerous.

Here’s a trimmed down HTML output that could result from a malicious folder name

<tr>
  <td>
    <span title="&quot;&gt;&lt;script&gt;alert('Hacked!')&lt;/script&gt;">
      "><script>alert('Hacked!')</script>
    </span>
  </td>
</tr>

If Syncthing fails to escape the name, the browser sees <script>alert('Hacked!')</script> and executes it immediately.

Result:

`

)">

`

2. You open WebUI > Folders/Devices, hover or view this entry.
3. Your browser sends your session/cookie or runs attacker’s code.

How bad is it?

- No interaction needed: Just open the folder/device settings page.

How did Syncthing fix it?

The developers fixed this in Syncthing v1.23.5 by properly escaping user-controlled names before showing them in the browser.

Here’s an example Go snippet using html/template escape functions

import "html/template"

func renderFolderName(name string) template.HTML {
    // Escape dangerous characters
    return template.HTMLEscapeString(name)
}

They applied such escaping everywhere a user-supplied string could appear in the UI.

1. Upgrade to the latest Syncthing

This is the only complete fix.  
Download latest Syncthing

2. Do not share folders or devices with untrusted users

Never sync folders with strangers, or anyone you don’t fully trust, until you are 100% patched.

3. Check for suspicious device or folder names

If you see weird folder/device names containing quotes, angle brackets, or scripts—delete them and investigate.

4. Restrict WebUI access

Ensure that only you can access the WebUI (e.g., bind to localhost, use authentication, or firewall).

- GitHub Advisory: CVE-2022-46165
- Syncthing Release 1.23.5
- NVD Details: CVE-2022-46165
- Official Syncthing Changelog

Final Word

CVE-2022-46165 proves that even simple things—like a file name—can lead to serious security risks when handling user data in web apps. If you’re a Syncthing user, update now.

If you manage other open-source tools, always sanitize user input, and watch for similar XSS flaws. Stay safe while syncing!


*Exclusive write-up by GPT-4. Data sourced from public advisories and Syncthing’s security updates.*

Timeline

Published on: 06/06/2023 18:15:00 UTC
Last modified on: 06/16/2023 04:15:00 UTC