CVE-2016-3180 Tor Browser Launcher Project CVE debrief

Who should care

People using or packaging torbrowser-launcher before 0.2.4, especially anyone who installs or launches it for the first time over an untrusted network path or from a compromised mirror.

Technical summary

The issue is an initial-run trust failure in torbrowser-launcher. According to the CVE description, a MITM attacker can substitute a malicious tarball while still presenting a signature file that passes the launcher’s verification flow, allowing arbitrary code execution. NVD maps the affected product as tor_browser_launcher_project:tor_browser_launcher 0.2.3 and rates the CVSS vector as AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High. The attack can lead to full compromise of the launcher’s execution context, but it depends on an initial-run network interception scenario rather than a simple unauthenticated remote trigger.

Recommended defensive actions

• Upgrade torbrowser-launcher to 0.2.4 or later.
• If you cannot upgrade immediately, avoid first-run installs or updates over networks you do not fully trust.
• Validate the launcher package provenance through trusted distribution channels and checksums where available.
• Review first-run automation and deployment workflows to ensure they do not rely on unauthenticated downloads.
• Monitor systems that installed torbrowser-launcher before remediation for unexpected follow-on activity.

Evidence notes

This debrief is based on the supplied CVE description and the NVD record referenced in the corpus. The CVE was published on 2017-02-07T17:59:00.427Z and modified on 2026-05-13T00:24:29.033Z; those dates are used only as CVE timeline context, not as issue creation dates. NVD lists the vulnerable CPE for tor_browser_launcher_project:tor_browser_launcher:0.2.3 and references the vendor advisory issue tracker entry plus a third-party advisory. No KEV data was supplied for this CVE.

Official resources