The Tor Project has concluded a comprehensive security audit on its network health monitoring ecosystem, identifying six vulnerabilities and issuing eleven additional hardening recommendations.
The audit, conducted in October 2025 by penetration testing firm 7aSecurity, focused on tools integral to detecting and mitigating threats such as relay attacks and Sybil behavior on the Tor network.
Over the course of 22.85 workdays, 7aSecurity engineers conducted a whitebox security review using full source code access, staging environments, and test credentials, allowing them to simulate realistic adversarial conditions.
The scope of the audit covered multiple software components developed by the Tor Project's Network Health team, such as:
- TagTor – a Flask-based web application for visualizing relay and network data
- DescriptorParser – a Java tool for importing network descriptors into databases
- Margot – a Rust CLI for analyzing network health using the Arti Tor client
- Exitmap – a Python tool for scanning Tor exit relays
- Tor_fusion – a Rust parser for network documents
- Simple Bandwidth Scanner (SBWS) – used by directory authorities to generate bandwidth files
- Arti and Tor C – Rust and C implementations of the Tor protocol, focusing only on recent code changes.
The Tor Project is a nonprofit organization that maintains the Tor network, a system designed to facilitate anonymous communication online by routing traffic through a global volunteer-run network of relays. The tools audited are vital for internal teams to monitor the integrity and health of that network, detect anomalies, and respond to potential attacks.
Key findings
Among the six identified vulnerabilities, the most serious is a critical flaw in the Sybil Hunter module of the Margot tool. The tool's core logic relies on Levenshtein string similarity across flattened relay attributes, leading to both false positives and evasion by malicious actors. This flaw undermines the reliability of Sybil detection, which is essential for identifying clusters of relays controlled by a single adversary.
Two additional high-severity denial-of-service (DoS) issues were discovered in the TagTor platform:
- An unbounded limit parameter allowed authenticated users to overload the backend by requesting excessive data from the PostgreSQL database.
- A flaw in family tag processing enabled malicious users to submit thousands of tags, triggering performance collapse via inefficient string matching in SQL queries.
A medium-severity CSRF vulnerability in TagTor could allow unauthorized actions through malicious POST requests, while other issues included information disclosure via verbose error messages, and a low-severity DoS vector in Margot due to unsafe .unwrap() usage in Rust code.
In addition to the six confirmed vulnerabilities, 7aSecurity issued eleven hardening recommendations concerning the lack of session management and reliance on Basic Authentication without certificate pinning, hardcoded secrets in configuration files, SHA-1 hash usage in legacy code, and vulnerable third-party Rust dependencies.
The Tor Project has acknowledged the issues and stated that all findings have been reviewed. Remediation efforts are ongoing and being tracked as part of their standard security and maintenance lifecycle.
Leave a Reply