CVE-2021-28089: 
NixOS vulnerability analysis and mitigation

Tor before version 0.4.5.7 contained a vulnerability (CVE-2021-28089) that allowed a remote participant in the Tor directory protocol to exhaust CPU resources on a target system. This vulnerability, also known as TROVE-2021-001, was discovered and disclosed in March 2021, affecting all Tor instances but was particularly impactful on directory authorities and relays (Tor Blog).

The vulnerability stemmed from the incorrect usage of the dump_desc() function, which was used to dump unparseable information to disk. The function would dump its entire input, but it was sometimes called with input that extended beyond the end of the string, leading to excessive CPU usage. This could potentially result in an unbounded read bug, though it wasn't considered a privacy leak since the data wasn't exposed (GitLab Issue).

The primary impact of this vulnerability was the potential for denial-of-service attacks through CPU resource exhaustion. The vulnerability was most easily exploitable against directory authorities since anyone could upload to them, but directory caches could also exploit this vulnerability against relays or clients during downloads (Tor Blog).

The vulnerability was fixed in Tor versions 0.3.5.14, 0.4.4.8, and 0.4.5.7. The fix involved disabling the dump_desc() function that was being called incorrectly. Users were recommended to upgrade to one of these versions as they became available (Tor Blog, Fedora Update).