Code audit for the Tor Project completed by 7aSecurity

By Tor Project blog December 18, 2025 · Edited February 14, 2026

For the past three years, the Tor Project has been working to improve the tools, resources, and protocols used to monitor the health of the Tor network. This work aims to strengthen the Tor network's

For the past three years, the Tor Project has been working to improve the tools, resources, and protocols used to monitor the health of the Tor network. This work aims to strengthen the Tor network’s resilience and resist relay attacks.

As part of this effort, in July and August 2025, 7ASecurity (https://7asecurity.com/) conducted a code audit of those tools.

The code audit focused on the following projects:

• TagTor (https://gitlab.torproject.org/tpo/network-health/metrics/tagtor) is a Flask web app to display metrics about the Tor network and its nodes.

• DescriptorParser (https://gitlab.torproject.org/tpo/network-health/metrics/descriptorParser) is a small, standalone Java app to import Tor network descriptors into a PostgreSQL DB and a VictoriaMetrics time series.

• Margot (https://gitlab.torproject.org/tpo/network-health/margot) is a Rust command-line application using Arti that provides a series of commands for the network health team.

• Exitmap (https://gitlab.torproject.org/tpo/network-health/exitmap-modules) is a fast and modular Python-based scanner for Tor exit relays.

• Tor_fusion (https://gitlab.torproject.org/tpo/network-health/metrics/tor_fusion) parses Tor network documents in the Rust programming language.

• Simple Bandwidth Scanner (https://gitlab.torproject.org/tpo/network-health/sbws) is a Tor bandwidth scanner that generates bandwidth files to be used by directory authorities.

• C Tor (https://gitlab.torproject.org/tpo/core/tor) protects your privacy on the internet by hiding the connection between your Internet address and the services you use. This software is the one that runs on each relay of the Tor network.

• Arti (https://gitlab.torproject.org/tpo/core/arti) is the implementation of Tor in Rust. The code to be audited is the one that changed during this project.

The audit found six vulnerabilities and highlighted eleven hardening recommendations. All findings have been reviewed by the Tor Project, and remediation work is being tracked as part of our ongoing security and maintenance processes.

Read the full audit report For detailed findings and recommendations, please see the complete audit report here (https://blog.torproject.org/code-audit-network-health-tools/TTP-code-audit-network-health-report.pdf)

•

      reports
     (https://blog.torproject.org/category/reports)

•

      network
     (https://blog.torproject.org/category/network)

Reference: https://blog.torproject.org/code-audit-network-health-tools/

Write a comment

No comments yet.