CVE Details
Basic Information
| Title | onion-site-template tor Secrets Baked Into Image |
|---|---|
| Type | cve |
| Published | 2025-08-05T23:40:46.900Z |
| Modified | 2025-08-05T23:40:46.900Z |
Product Information
| Vendor | Vessel9817 |
|---|---|
| Product | onion-site-template |
| Version | >= 3196bd896fed58306d42cc9f4c1e0760e8c829c9, < bc9ba0fd8cc7fbb3abc6759b351885a4501bce84 |
CVSS Information
| Base Score | 8.7 (HIGH) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N |
AI Analysis
| AI Description | The onion-site-template contains a vulnerability where sensitive Tor secrets are baked into the image. If an attacker gains access to the image or the user’s device, they could compromise the website. This issue is resolved in a later commit. |
|---|---|
| AI Severity | Medium |
| AI Vendor | Vessel9817 |
| AI Product | onion-site-template |
| AI Version | >= 3196bd896fed58306d42cc9f4c1e0760e8c829c9, < bc9ba0fd8cc7fbb3abc6759b351885a4501bce84 |
Affected Products
- Vessel9817 onion-site-template >= 3196bd896fed58306d42cc9f4c1e0760e8c829c9, < bc9ba0fd8cc7fbb3abc6759b351885a4501bce84
Additional Information
| CWE List | CWE-798 |
|---|---|
| Source | GitHub_M |
Description
onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user’s device outside of a containerized environment. This is fixed by commit bc9ba0fd.