{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54872", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-31T17:23:33.473Z", "datePublished": "2025-08-05T23:40:46.900Z", "dateUpdated": "2025-08-06T20:33:38.316Z"}, "containers": {"cna": {"title": "onion-site-template tor Secrets Baked Into Image", "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "lang": "en", "description": "CWE-798: Use of Hard-coded Credentials", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55"}, {"name": "https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84", "tags": ["x_refsource_MISC"], "url": "https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84"}], "affected": [{"vendor": "Vessel9817", "product": "onion-site-template", "versions": [{"version": ">= 3196bd896fed58306d42cc9f4c1e0760e8c829c9, < bc9ba0fd8cc7fbb3abc6759b351885a4501bce84", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-05T23:40:46.900Z"}, "descriptions": [{"lang": "en", "value": "onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd."}], "source": {"advisory": "GHSA-mj8m-c8w9-rw55", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-06T16:13:57.387408Z", "id": "CVE-2025-54872", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T20:33:38.316Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54872", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-06T16:13:57.387408Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T16:13:59.120Z"}}], "cna": {"title": "onion-site-template tor Secrets Baked Into Image", "source": {"advisory": "GHSA-mj8m-c8w9-rw55", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Vessel9817", "product": "onion-site-template", "versions": [{"status": "affected", "version": ">= 3196bd896fed58306d42cc9f4c1e0760e8c829c9, < bc9ba0fd8cc7fbb3abc6759b351885a4501bce84"}]}], "references": [{"url": "https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55", "name": "https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84", "name": "https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798: Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-05T23:40:46.900Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54872", "state": "PUBLISHED", "dateUpdated": "2025-08-06T20:33:38.316Z", "dateReserved": "2025-07-31T17:23:33.473Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-05T23:40:46.900Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd."}, {"lang": "es", "value": "onion-site-template es una muestra completa, escalable y autoalojada de un servicio oculto de Tor. Las versiones que incluyen el commit 3196bd89 contienen una imagen de Tor preinstalada si los secretos se copiaron de un dominio onion existente. Un sitio web podr\u00eda verse comprometido si un usuario compartiera la imagen preinstalada o si alguien pudiera acceder al dispositivo del usuario fuera de un entorno contenedorizado. Esto se solucion\u00f3 con el commit bc9ba0fd."}], "id": "CVE-2025-54872", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-06T00:15:31.357", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Vessel9817/onion-site-template/commit/bc9ba0fd8cc7fbb3abc6759b351885a4501bce84"}, {"source": "security-advisories@github.com", "url": "https://github.com/Vessel9817/onion-site-template/security/advisories/GHSA-mj8m-c8w9-rw55"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-08-06T15:12:40.216118+00:00", "updated": "2025-08-06T15:12:40.216176+00:00", "vendors": ["onion-site-template_project", "onion-site-template_project$PRODUCT$onion-site-template"]}