CVE-2025-54872 is a high-severity vulnerability classified under CWE-798, which pertains to the use of hard-coded credentials. This vulnerability affects the Vessel9817 project's onion-site-template, a scalable Tor hidden service self-hosting sample. The issue exists in versions containing commit 3196bd89 up to but not including commit bc9ba0fd. Specifically, these versions include a baked-in Tor image that may contain hard-coded secrets copied from an existing onion domain. This baked-in image can inadvertently expose sensitive credentials if shared publicly or if an attacker gains access to the user's device outside of a properly isolated containerized environment. The vulnerability allows an attacker to potentially compromise the hidden service website by leveraging these embedded secrets without requiring any authentication or user interaction. The CVSS 4.0 base score of 8.7 reflects the ease of exploitation (network vector, low attack complexity, no privileges or user interaction required) and the high impact on confidentiality (complete compromise of secrets), though integrity and availability impacts are not indicated. The vulnerability was addressed in commit bc9ba0fd, which presumably removes or secures the hard-coded credentials. No known exploits are reported in the wild as of the publication date.

For European organizations utilizing the onion-site-template for hosting Tor hidden services, this vulnerability poses a significant risk. The exposure of hard-coded credentials can lead to unauthorized access and full compromise of the hidden service, potentially resulting in data leakage, defacement, or service disruption. Given the nature of Tor hidden services, which are often used for privacy-sensitive or censorship-resistant applications, exploitation could undermine user anonymity and trust. European entities involved in secure communications, whistleblowing platforms, or privacy-focused services could face reputational damage and legal consequences under regulations such as GDPR if sensitive data is exposed. Additionally, the compromise of these services could be leveraged by threat actors for further attacks or surveillance. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation if vulnerable versions are deployed.

European organizations should immediately audit their deployments of the onion-site-template to identify affected versions containing commit 3196bd89 through bc9ba0fd. They must upgrade to the fixed version that removes the hard-coded credentials. If upgrading is not immediately feasible, organizations should ensure that the environment running the service is fully containerized and isolated, with strict access controls to prevent unauthorized device access. Additionally, any baked-in images or configuration files containing secrets should be regenerated with unique, non-hardcoded credentials. Organizations should implement secure secret management practices, such as environment variables or dedicated secret stores, avoiding embedding secrets in code or images. Regular security reviews and scans for hard-coded credentials in codebases and container images should be instituted. Monitoring for unusual access patterns to the Tor hidden service and network traffic analysis can help detect potential exploitation attempts. Finally, organizations should educate developers and administrators on the risks of hard-coded credentials and enforce secure coding standards.