CVE-2025-54872
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-08-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| torproject | tor | * |
| vessel9817 | onion-site-template | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in onion-site-template involves a baked-in tor image that is included if secrets were copied from an existing onion domain. This baked-in image could lead to a website compromise if a user shares it or if an attacker gains access to the user's device outside of a containerized environment. The issue was fixed in a later commit.
How can this vulnerability impact me? :
This vulnerability can lead to a website being compromised if the baked-in tor image is shared or if an attacker gains access to the user's device outside of a containerized environment, potentially exposing sensitive information or control over the hidden service.
What immediate steps should I take to mitigate this vulnerability?
Update the onion-site-template to a version that includes the fix from commit bc9ba0fd to remove the baked-in tor image vulnerability. Avoid sharing baked-in images that may contain secrets from existing onion domains, and ensure that access to devices running the vulnerable versions is restricted, especially outside containerized environments.