Bitcoin Core Uncontrolled Resource Consumption Vulnerability Allowing Disk Filling

A vulnerability in Bitcoin Core versions through 29.0 allows for uncontrolled resource consumption, specifically by filling up the disk space of a victim node. This is achieved by faking self-connections, which triggers the node to log these connections unconditionally. The vulnerability was reported to the Bitcoin Core security mailing list on March 16, 2022, and was fixed in version 30.0, released on October 10, 2025.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the victim node's disk space is filled up, potentially causing the node to malfunction or crash.

Reproduction

The vulnerability can be reproduced by having a victim node connect to an attacker's node. The attacker can then reuse the version message nonce to establish multiple connections to the victim, which are recognized as self-connections. This process takes advantage of the victim's default 60-second timeout for connections, allowing the attacker to gradually fill up the victim's disk space.

Remediation

Users can upgrade to Bitcoin Core version 30.0 or later to address this vulnerability.