CVE-2025-54872 | THREATINT

Description

onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd.

PUBLISHED Reserved 2025-07-31 | Published 2025-08-05 | Updated 2025-08-06 | Assigner GitHub_M

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-798: Use of Hard-coded Credentials

Product status

>= 3196bd896fed58306d42cc9f4c1e0760e8c829c9, < bc9ba0fd8cc7fbb3abc6759b351885a4501bce84

affected

References

github.com/...mplate/security/advisories/GHSA-mj8m-c8w9-rw55

github.com/...ommit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84

cve.org (CVE-2025-54872)

nvd.nist.gov (CVE-2025-54872)

Download JSON