CVE-2025-54604: 
Bitcoin Core vulnerability analysis and mitigation

Bitcoin Core through version 29.0 contains a vulnerability that allows Uncontrolled Resource Consumption. The issue was discovered and disclosed on October 24, 2025, affecting all Bitcoin Core versions up to and excluding version 30.0 (Bitcoin Core Blog, NVD).

The vulnerability stems from Bitcoin Core unconditionally logging in case of self-connection. An attacker could exploit this by waiting for a victim to connect to them and then reusing the version message nonce to establish many connections to the victim, causing it to detect those attempts as self-connections. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Bitcoin Core Blog).

The vulnerability allows an attacker to fill up the disk space of a victim node through log-filling attacks. However, exploitability is limited because the initial connection from the victim will timeout after 60 seconds by default (Bitcoin Core Blog).

The issue was fixed in Bitcoin Core version 30.0 by implementing log rate-limiting across the board, which prevents this and similar types of log-filling attacks. The fix was developed by Eugene Siegel and Niklas Goegge (Bitcoin Core Blog).