Torproject

By the Year

In 2025 there have been 1 vulnerability in Torproject with an average score of 3.7 out of ten. Torproject did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2025 as compared to last year.

Recent Torproject Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-4444	Sep 18, 2025	Tor v0.4.8.17 Onion Service Descriptor Handler Resource Exhaustion A security flaw has been discovered in Tor up to 0.4.7.16/0.4.8.17. Impacted is an unknown function of the component Onion Service Descriptor Handler. Performing manipulation results in resource consumption. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is considered difficult. Upgrading to version 0.4.8.18 and 0.4.9.3-alpha is recommended to address this issue. It is recommended to upgrade the affected component.	Tor
CVE-2023-23589	Jan 14, 2023	The SafeSocks option in Tor before 0.4.7.13 has a logic error in The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol, aka TROVE-2022-002.	Tor
CVE-2022-33903	Jul 17, 2022	Tor 0.4.7.x before 0.4.7.8 Tor 0.4.7.x before 0.4.7.8 allows a denial of service via the wedging of RTT estimation.	Tor
CVE-2021-38385	Aug 30, 2021	Tor before 0.3.5.16 Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-signature verification, leading to a remote assertion failure, aka TROVE-2021-007.	Tor
CVE-2021-34549	Jun 29, 2021	An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-005 An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-005. Hashing is mishandled for certain retrieval of circuit data. Consequently. an attacker can trigger the use of an attacker-chosen circuit ID to cause algorithm inefficiency.	Tor
CVE-2021-34550	Jun 29, 2021	An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006 An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006. The v3 onion service descriptor parsing allows out-of-bounds memory access, and a client crash, via a crafted onion service descriptor	Tor
CVE-2021-34548	Jun 29, 2021	An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-003 An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-003. An attacker can forge RELAY_END or RELAY_RESOLVED to bypass the intended access control for ending a stream.	Tor
CVE-2021-28090	Mar 19, 2021	Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-002.	Tor
CVE-2021-28089	Mar 19, 2021	Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001.	Tor
CVE-2020-15572	Jul 15, 2020	Tor before 0.4.3.6 has an out-of-bounds memory access Tor before 0.4.3.6 has an out-of-bounds memory access that allows a remote denial-of-service (crash) attack against Tor instances built to use Mozilla Network Security Services (NSS), aka TROVE-2020-001.	Tor