CVE-2025-24888

The CVE-2025-24888 issue affects the SecureDrop Client, specifically the API.download_reply() path traversal flaw. The vulnerability arises from using the filename in the Content-Disposition header to write the encrypted reply to disk; although server-side filenames are sanitized, the file can be...

Linux Gather TOR Hidden Services

This module collects the hostnames name and private keys of any TOR Hidden Services running on the target machine. It will search for torrc and if found, will parse it for the directories of Hidden Services. However, root permissions are required to read them as they are owned by the user that TO...

Tor Hidden Services Load Balancing: OnionBalance

Tor Hidden Services Load Balancing The OnionBalance software allows for Tor hidden service requests to be distributed across multiple backend Tor instances. OnionBalance provides load-balancing while also making onion services more resilient and reliable by eliminating single points-of-failure...

Default Apache Configuration Can Unmask Tor Hidden Services

Attention Tor Onion Hosters! A year old loophole in Apache Web Server, uncovered by an unknown Computer Science Student, could potentially unmask the real identity of .onion-domains and servers hidden behind the Tor-network. Although the loophole was reported on Reddit and to the Tor Project mont...