CVE-2025-54872 is a high-severity vulnerability identified in the Vessel9817 project's onion-site-template, a scalable Tor hidden service self-hosting sample. The vulnerability is classified under CWE-798, which pertains to the use of hard-coded credentials. Specifically, versions of onion-site-template containing commit 3196bd89 include a baked-in Tor image that may contain embedded secrets copied from an existing onion domain. This hard-coded secret within the image can lead to unauthorized access if an attacker obtains the baked-in image or gains access to the user's device outside of a properly isolated containerized environment. The vulnerability does not require authentication or user interaction to exploit, and it can be triggered remotely over the network due to the nature of Tor hidden services. The flaw was addressed and fixed in commit bc9ba0fd. The CVSS 4.0 base score is 8.7, reflecting a high severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality due to exposure of sensitive credentials. The vulnerability does not affect integrity or availability directly but compromises confidentiality, potentially allowing attackers to impersonate or take control of the hidden service. No known exploits are currently reported in the wild, but the risk remains significant given the ease of exploitation and the critical nature of the secrets involved.

For European organizations leveraging Tor hidden services for anonymity, secure communications, or hosting sensitive content, this vulnerability poses a substantial risk. Exposure of hard-coded credentials could lead to unauthorized access to hidden services, compromising confidentiality and potentially enabling attackers to impersonate legitimate services or intercept sensitive data. This could damage organizational reputation, lead to data breaches, or facilitate further attacks such as phishing or malware distribution via compromised onion sites. Given the increasing use of Tor for privacy-focused services in Europe, especially by NGOs, journalists, and privacy-conscious enterprises, the impact could be widespread. Additionally, organizations relying on containerization for security isolation may have a false sense of protection if the baked-in image is extracted and secrets are leaked. The vulnerability could also affect law enforcement or governmental agencies using onion services for covert operations, raising national security concerns.

Organizations should immediately update the onion-site-template to versions including or beyond commit bc9ba0fd where the hard-coded credentials issue is fixed. It is critical to avoid using any baked-in images containing secrets copied from existing onion domains. Instead, generate unique secrets per deployment and store them securely using environment variables or dedicated secret management tools. Ensure that containerized environments are properly isolated and that images are not shared or distributed outside trusted boundaries. Conduct thorough audits of existing deployments to identify and replace any compromised images or credentials. Implement strict access controls and monitoring on devices hosting onion services to detect unauthorized access attempts. Additionally, consider employing runtime security tools that can detect anomalous behavior indicative of credential misuse or service impersonation. Regularly review and update security policies related to Tor service deployment and secret management to prevent recurrence.