CVE-2025-54604 - Disk filling from spoofed self connections
Disclosure of the details of a log-filling bug which allowed an attacker to fill up the disk space
of a victim node by faking self-connections. Exploitability of this bug is limited, and it would
take a long time before it would cause the victim to run out of disk space. A fix was released on
October 10th 2025 in Bitcoin Core v30.0.
This issue is considered Low severity.
Details
Bitcoin Core would unconditionally log in case of self-connection. This could be exploited by an
attacker by waiting for a victim to connect to it and reusing the version message nonce to establish
many connections to the victim, causing it to detect those attempts as self-connections. However,
exploitability is limited because the initial connection from the victim will timeout after 60
seconds by default.
This issue was fixed by implementing log rate-limiting across the board, also preventing future
issues of the same type from happening.
Attribution
Niklas Goegge discovered this bug and disclosed it responsibly.
Eugene Siegel and Niklas Goegge worked on a fix mitigating all types of log-filling attacks.
Credits also to contributor “practicalswift” who previously raised concerns
about disk-filling vectors in Bitcoin Core and worked to address them.
Timeline
2022-03-16 - Niklas Goegge reports this issue to the Bitcoin Core security mailing list
2025-05-23 - Eugene Siegel opens PR #32604 to
introduce log rate-limiting, based on earlier work from Niklas Goegge
2025-07-09 - PR #32604 is merged into master
2025-09-04 - Version 29.1 is released with the fix
2025-10-10 - Version 30.0 is released with the fix
2025-10-24 - Public Disclosure
https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54604/
#Eenentwintig #Nieuws #News #BitcoinNews
EenentwintigNews / Eenentwintig Nieuwsfeed
npub10e…g0kj9
2025-10-24 15:00:54 UTC
Author Public Key
npub10en2rrs3t9qvgyxjj7c8ku8cmypvmrvrzzthpyd4zzqpwqfdkl7qqg0kj9Seen on
wss://relay.damus.ioPublished at
2025-10-24 15:00:54 UTCEvent JSON
{
"id": "dabceaf498456939f96ce9a60bc2eb5f7fd9d1dc558b1e01cab0cefa7a78fc72",
"pubkey": "7e66a18e115940c410d297b07b70f8d902cd8d8310977091b5108017012db7fc",
"created_at": 1761318054,
"kind": 1,
"tags": [],
"content": "CVE-2025-54604 - Disk filling from spoofed self connections\n\nDisclosure of the details of a log-filling bug which allowed an attacker to fill up the disk space\nof a victim node by faking self-connections. Exploitability of this bug is limited, and it would\ntake a long time before it would cause the victim to run out of disk space. A fix was released on\nOctober 10th 2025 in Bitcoin Core v30.0.\nThis issue is considered Low severity.\nDetails\nBitcoin Core would unconditionally log in case of self-connection. This could be exploited by an\nattacker by waiting for a victim to connect to it and reusing the version message nonce to establish\nmany connections to the victim, causing it to detect those attempts as self-connections. However,\nexploitability is limited because the initial connection from the victim will timeout after 60\nseconds by default.\nThis issue was fixed by implementing log rate-limiting across the board, also preventing future\nissues of the same type from happening.\nAttribution\nNiklas Goegge discovered this bug and disclosed it responsibly.\nEugene Siegel and Niklas Goegge worked on a fix mitigating all types of log-filling attacks.\nCredits also to contributor “practicalswift” who previously raised concerns\nabout disk-filling vectors in Bitcoin Core and worked to address them.\nTimeline\n2022-03-16 - Niklas Goegge reports this issue to the Bitcoin Core security mailing list\n2025-05-23 - Eugene Siegel opens PR #32604 to\nintroduce log rate-limiting, based on earlier work from Niklas Goegge\n2025-07-09 - PR #32604 is merged into master\n2025-09-04 - Version 29.1 is released with the fix\n2025-10-10 - Version 30.0 is released with the fix\n2025-10-24 - Public Disclosure\n\nhttps://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54604/\n\n#Eenentwintig #Nieuws #News #BitcoinNews",
"sig": "aa006414348f5e9958b62163b03aa5a97c43fb0b6056db8f7d49c3f0fc6b17d6319b4b0e1aded05341e4417091cf0297b9f6e27e2bf6db4aaa411fb9fa1f2f10"
}