CVE-2025-4444

LOW

Tor < 0.4.7.16 and 0.4.8.0-0.4.8.17 - Uncontrolled Resource Consumption in Onion Service Descriptor Handler

Title source: llm

Description

A security flaw has been discovered in Tor up to 0.4.7.16/0.4.8.17. Impacted is an unknown function of the component Onion Service Descriptor Handler. Performing manipulation results in resource consumption. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. Upgrading to version 0.4.8.18 and 0.4.9.3-alpha is recommended to address this issue. It is recommended to upgrade the affected component.

References (6)

Core 6

Core References

Permissions Required, VDB Entry vdb-entry

https://vuldb.com/?id.324814

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.324814

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.640605

Various Sources related

https://github.com/chunmianwang/Tordos

View Writeup ZIP pw:eip

Various Sources release-notes

https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes

Various Sources patch

https://forum.torproject.org/t/alpha-and-stable-release-0-4-8-18-and-0-4-9-3-alpha/20578

Scores

CVSS v3 3.7

EPSS 0.0044

EPSS Percentile 34.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-400 CWE-404

Status published

Products (37)

n/a/Tor 0.4.7.0

n/a/Tor 0.4.7.1

n/a/Tor 0.4.7.10

n/a/Tor 0.4.7.11

n/a/Tor 0.4.7.12

n/a/Tor 0.4.7.13

n/a/Tor 0.4.7.14

n/a/Tor 0.4.7.15

n/a/Tor 0.4.7.16

n/a/Tor 0.4.7.2

... and 27 more

Published Sep 18, 2025

Tracked Since Feb 18, 2026