CVE-2025-54604 - Disk filling from spoofed self connections

Disclosure of the details of a log-filling bug which allowed an attacker to fill up the disk spaceof a victim node by faking self-connections. Exploitability of this bug is limited, and it wouldtake a long time before it would cause the victim to run out of disk space. A fix was released onOctober 10th 2025 in Bitcoin Core v30.0. This issue is considered Low severity. Details Bitcoin Core would unconditionally log in case of self-connection. This could be exploited by anattacker by waiting for a victim to connect to it and reusing the version message nonce to establishmany connections to the victim, causing it to detect those attempts as self-connections. However,exploitability is limited because the initial connection from the victim will timeout after 60seconds by default. This issue was fixed by implementing log rate-limiting across the board, also preventing futureissues of the same type from happening. Attribution Niklas Goegge discovered this bug and disclosed it responsibly. Eugene Siegel and Niklas Goegge worked on a fix mitigating all types of log-filling attacks. Credits also to contributor “practicalswift” who previously raised concernsabout disk-filling vectors in Bitcoin Core and worked to address them. Timeline 2022-03-16 - Niklas Goegge reports this issue to the Bitcoin Core security mailing list 2025-05-23 - Eugene Siegel opens PR #32604 tointroduce log rate-limiting, based on earlier work from Niklas Goegge 2025-07-09 - PR #32604 is merged into master 2025-09-04 - Version 29.1 is released with the fix 2025-10-10 - Version 30.0 is released with the fix 2025-10-24 - Public Disclosure