Tor can be forced to open too many circuits by embedding .onion resources
A malicious web page or an exit node* can force Tor to open too many new circuits by embedding resources from multiple .onion domains.
I could observe up to 50 new circuits per second, and a total of a few hundred circuits in less than a half minute.
The embedded HS domains don't need to exist, Tor will still open an new internal circuit for each .onion domain to download the descriptors.
I guess forcing clients to make too many circuits may enable certain attacks, even though the circuits are internal.
Maybe Tor (or Tor Browser) could cap the number of new circuits opened within a time window. I can't think of a realistic use case for loading resources from tens of different hidden services.
*: only when the connection is unencrypted HTTP