Low severity3.7NVD Advisory· Published Dec 3, 2017· Updated May 13, 2026

CVE-2017-8822

Description

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Tor relays with incompletely downloaded descriptors can choose themselves in a circuit path, degrading anonymity (TROVE-2017-012).

Vulnerability

In Tor versions before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, a relay that has an incompletely downloaded descriptor can pick itself in a circuit path [1]. This "self-picking" behavior occurs due to a flaw in the circuit path selection logic when descriptor data is incomplete, allowing the relay to be included as a hop in a circuit it is participating in constructing.

Exploitation

An attacker controlling or operating a Tor relay that has an incompletely downloaded descriptor (possibly due to network conditions or deliberate manipulation) can cause that relay to be selected as a hop in a circuit path built by other Tor clients or relays [1]. No special authentication or user interaction is required beyond running a relay with the incomplete descriptor; the normal circuit-building process automatically makes the selection.

Impact

Successful exploitation degrades the anonymity of Tor users whose circuits include the attacker-controlled relay. Since the relay is both a participant in the circuit and can see its own selection, it may gain additional information about the circuit's origin or destination, potentially correlating traffic flows [1]. The attack does not directly reveal plaintext content but weakens the network's ability to anonymize connections.

Mitigation

Tor has released fixed versions: 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, and 0.3.2.6-alpha [1]. All users and relay operators should upgrade to one of these versions. No known workaround exists for unpatched installations; upgrading is the recommended mitigation.

References

New stable Tor releases, with security fixes: 0.3.1.9, 0.3.0.13, 0.2.9.14, 0.2.8.17, 0.2.5.16 | Tor Project

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Torproject/Tor
cpe:2.3:a:tor_project:tor:*:*:*:*:*:*:*:*
Range: <0.2.5.16
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
osv-coords2 versions
pkg:rpm/opensuse/tor&distro=openSUSE%20Tumbleweed pkg:rpm/suse/tor&distro=SUSE%20Package%20Hub%2012
< 0.4.6.7-2.2+ 1 more
- (no CPE)range: < 0.4.6.7-2.2
- (no CPE)range: < 0.3.1.9-8.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516nvdVendor Advisory
bugs.torproject.org/21534nvdIssue TrackingVendor Advisory
bugs.torproject.org/24333nvdVendor Advisory
www.debian.org/security/2017/dsa-4054nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.240
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000