CVE-2025-54872 (GCVE-0-2025-54872)
Vulnerability from cvelistv5 – Published: 2025-08-05 23:40 – Updated: 2025-08-06 20:33
VLAI
Title
onion-site-template tor Secrets Baked Into Image
Summary
onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Vessel9817/onion-site-template… | x_refsource_CONFIRM |
| https://github.com/Vessel9817/onion-site-template… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Vessel9817 | onion-site-template |
Affected:
>= 3196bd896fed58306d42cc9f4c1e0760e8c829c9, < bc9ba0fd8cc7fbb3abc6759b351885a4501bce84
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54872",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T16:13:57.387408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:33:38.316Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "onion-site-template",
"vendor": "Vessel9817",
"versions": [
{
"status": "affected",
"version": "\u003e= 3196bd896fed58306d42cc9f4c1e0760e8c829c9, \u003c bc9ba0fd8cc7fbb3abc6759b351885a4501bce84"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user\u0027s device outside of a containerized environment. This is fixed by commit bc9ba0fd."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:40:46.900Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55"
},
{
"name": "https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84"
}
],
"source": {
"advisory": "GHSA-mj8m-c8w9-rw55",
"discovery": "UNKNOWN"
},
"title": "onion-site-template tor Secrets Baked Into Image"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54872",
"datePublished": "2025-08-05T23:40:46.900Z",
"dateReserved": "2025-07-31T17:23:33.473Z",
"dateUpdated": "2025-08-06T20:33:38.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-54872",
"date": "2026-06-03",
"epss": "0.00323",
"percentile": "0.55594"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-54872\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-06T00:15:31.357\",\"lastModified\":\"2025-08-06T20:23:52.133\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user\u0027s device outside of a containerized environment. This is fixed by commit bc9ba0fd.\"},{\"lang\":\"es\",\"value\":\"onion-site-template es una muestra completa, escalable y autoalojada de un servicio oculto de Tor. Las versiones que incluyen el commit 3196bd89 contienen una imagen de Tor preinstalada si los secretos se copiaron de un dominio onion existente. Un sitio web podr\u00eda verse comprometido si un usuario compartiera la imagen preinstalada o si alguien pudiera acceder al dispositivo del usuario fuera de un entorno contenedorizado. Esto se solucion\u00f3 con el commit bc9ba0fd.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"references\":[{\"url\":\"https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54872\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-06T16:13:57.387408Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-06T16:13:59.120Z\"}}], \"cna\": {\"title\": \"onion-site-template tor Secrets Baked Into Image\", \"source\": {\"advisory\": \"GHSA-mj8m-c8w9-rw55\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Vessel9817\", \"product\": \"onion-site-template\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3196bd896fed58306d42cc9f4c1e0760e8c829c9, \u003c bc9ba0fd8cc7fbb3abc6759b351885a4501bce84\"}]}], \"references\": [{\"url\": \"https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55\", \"name\": \"https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84\", \"name\": \"https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user\u0027s device outside of a containerized environment. This is fixed by commit bc9ba0fd.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798: Use of Hard-coded Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-05T23:40:46.900Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-54872\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-06T20:33:38.316Z\", \"dateReserved\": \"2025-07-31T17:23:33.473Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-05T23:40:46.900Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…