CVE-2025-4444Uncontrolled Resource Consumption in TOR

CWE-400Uncontrolled Resource ConsumptionCWE-404Improper Resource Shutdown or ReleaseCWE-611XML External Entity (XXE) Injection12 documents8 sources
Severity
6.3MEDIUMNVD
GHSA7.5
EPSS
0.1%
top 79.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Torproject TOR
Timeline
PublishedSep 18
Latest updateApr 8

Description

A security flaw has been discovered in Tor up to 0.4.7.16/0.4.8.17. Impacted is an unknown function of the component Onion Service Descriptor Handler. Performing manipulation results in resource consumption. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. Upgrading to version 0.4.8.18 and 0.4.9.3-alpha is recommended to address this issue. It is recommended to upgrade the affected component.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

Debiantorproject/tor< 0.4.9.6-0+deb12u1+2
CVEListV5torproject/tor35 versions+34

🔴Vulnerability Details

4
GHSA
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection2025-11-10
GHSA
GHSA-qc3c-vmf8-hgcj: A security flaw has been discovered in Tor up to 02025-09-18
OSV
CVE-2025-4444: A security flaw has been discovered in Tor up to 02025-09-18
CVEList
Tor Onion Service Descriptor resource consumption2025-09-18

💥Exploits & PoCs

5
Exploit-DB
FortiWeb 8.0.2 - Remote Code Execution2026-04-08
Exploit-DB
PCMan FTP Server 2.0.7 - Buffer Overflow2025-06-15
Exploit-DB
Freefloat FTP Server 1.0 - Remote Buffer Overflow2025-06-13
Exploit-DB
Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow2025-05-25
Exploit-DB
Apache Commons Text 1.10.0 - Remote Code Execution2025-04-18

📋Vendor Advisories

2
Red Hat
cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection2025-11-10
Debian
CVE-2025-4444: tor - A security flaw has been discovered in Tor up to 0.4.7.16/0.4.8.17. Impacted is ...2025
CVE-2025-4444 — Uncontrolled Resource Consumption | cvebase