Disclosure of the details of a log-filling bug which allowed an attacker to fill up the disk space of a victim node by faking self-connections. Exploitability of this bug is limited, and it would take a long time before it would cause the victim to run out of disk space. A fix was released on October 10th 2025 in Bitcoin Core v30.0.
This issue is considered Low severity.
Details
Bitcoin Core would unconditionally log in case of self-connection. This could be exploited by an attacker by waiting for a victim to connect to it and reusing the version message nonce to establish many connections to the victim, causing it to detect those attempts as self-connections. However, exploitability is limited because the initial connection from the victim will timeout after 60 seconds by default.
This issue was fixed by implementing log rate-limiting across the board, also preventing future issues of the same type from happening.
Attribution
Niklas Goegge discovered this bug and disclosed it responsibly.
Eugene Siegel and Niklas Goegge worked on a fix mitigating all types of log-filling attacks.
Credits also to contributor “practicalswift” who previously raised concerns about disk-filling vectors in Bitcoin Core and worked to address them.
Timeline
- 2022-03-16 - Niklas Goegge reports this issue to the Bitcoin Core security mailing list
- 2025-05-23 - Eugene Siegel opens PR #32604 to introduce log rate-limiting, based on earlier work from Niklas Goegge
- 2025-07-09 - PR #32604 is merged into master
- 2025-09-04 - Version 29.1 is released with the fix
- 2025-10-10 - Version 30.0 is released with the fix
- 2025-10-24 - Public Disclosure