CVE-2021-21323: 
NixOS vulnerability analysis and mitigation

Brave browser, an open-source web browser focused on privacy and security, contained a vulnerability in versions 1.17.73-1.20.103 where the CNAME adblocking feature accidentally initiated DNS requests that bypassed the Brave Tor proxy. The vulnerability was discovered in early 2021 and was fixed in version 1.20.108 (GitHub Advisory).

The vulnerability was introduced with the CNAME adblocking feature added in Brave 1.17.73. When users had adblocking enabled in Tor windows, DNS requests from CNAME adblocking would leak to their DNS provider instead of being routed through the Tor network. Other DNS requests not initiated by CNAME adblocking would still go through Tor as expected (GitHub Advisory).

The vulnerability compromised user privacy by leaking DNS requests from Tor windows to the user's DNS provider, potentially revealing browsing activity that was intended to be anonymous through Tor. This affected users who had both adblocking enabled and were using Tor windows (GitHub Advisory).

The issue was fixed in Brave version 1.20.108 by disabling CNAME adblocking for Tor windows. This solution was implemented after considering various approaches including routing DoH through Tor, which was deemed too complex due to potential DNS and proxy code looping issues (GitHub PR).