A TorBox user reported to us via email that ICPM packages used in conjunction with ping and traceroute were not blocked by TorBox, which, if exploited, could reveal the user’s IP address and location. The reason for this vulnerability is an error in the firewall rules. The updated images, linked below, will not only fix it but also update Tor to version 0.4.8.16 and Snowflake to version 2.11.0.

TorBox Image (about 1 GB): v.0.5.4 (17.04.2025) – SHA-256 values
TorBox mini Image (about 1 GB): v.0.5.4 (17.04.2025) – SHA-256 values
TorBox Menu only: v.0.5.4 (17.04.2025) – SHA-256 values

Alternatively, you can download the image from our TorBox cloud test installation.

• • •

If you have an already running TorBox v.0.5.4 then you can manually update your system to close the vulnerability and update Tor:

Use entry 4 in the Update & Maintenance sub-menu to update Tor and Snowflake.
Use entry 5 in the Update & Maintenance sub-menu to update the TorBox menu.
Reconfigure the firewall by using an entry between 5 and 10 in the Main menu.

To check if the firewall rules are fixed, use the following command on the command line interface:
sudo iptables-save | grep icmp

As a result, you should see the following lines (now additional lines with FORWARD in it!):
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

• • •

By the way, using the TorBox installation script for Debian-based systems is now also compatible with DietPi. A TorBox on a DietPi system requires only about two-thirds of the space compared to a TorBox on a Raspberry Pi system and runs very smoothly. However, we are still in a test phase and cannot guarantee that all works as it should. Due to our limited resources, we require individuals who are willing to thoroughly test it and report any issues to us that we can address.

• • •

Known problems and bugs

ISSUES: The modified tables were not saved during the first start. This is only a minor issue, and it is healed if the Main Menu entry 5-10 is used. A bigger problem is that if your internet is connected via an Ethernet USB-adapter (eth1), TorBox is often unable to get the default gateway configuration, causing a disconnection between TorBox and the Internet. We have already successfully dealt with that problem on the Raspberry Pi onboard Ethernet connector (eth0) and implemented the same solution for eth1. More about these two issues and how they can be fixed is explained here. The image files are not fixed yet — PENDING! ⏳

BUG: Because of a bug in the script, entry 10 in the Main Menu (Tor Over VPN) was not working correctly (see Issue #342). We fixed the bug with Commit 6b9af96 (Tor over VPN: fix). You can fix the bug on your TorBox by updating the TorBox menu with entry 5 in the Update and Maintenance sub-menu. The image files are not fixed yet — PENDING! ⏳

ke on TorBox v.0.5.4 – Security Update 17 April 2025: “I downloaded the file in your link. And installed it on a raspberry pi zero 2 w. I connected a…” May 15, 18:43
John Doe on TorBox v.0.5.4 – Security Update 17 April 2025: “Check out the top of the post. There you will find two images: TorBox Image and TorBox mini Image. You…” May 9, 20:35
ke on TorBox v.0.5.4 – Security Update 17 April 2025: “what configuration you want to use The hardware setup would be: Raspberry pi zero 2 w, micro usb power supply…” May 9, 12:21
John Doe on TorBox v.0.5.4 – Security Update 17 April 2025: “Going to the Beagle Bone Distro page, I can find a Debian 11 image for BeagleBone Black. I also found…” May 4, 10:33
John Doe on TorBox v.0.5.4 – Security Update 17 April 2025: “The TorBox mini is configured that way: Internet is on wlan0 Client is on eth0 (RNDIS/Ethernet Gadget mode). These are…” May 4, 10:08