Unrated severityOSV Advisory· Published Dec 8, 2025· Updated Dec 11, 2025
CVE-2025-65548
CVE-2025-65548
Description
NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to fill the mint's db nd disk with arbitrary data.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- bitcointalk.org/index.phpmitre
- delvingbitcoin.org/t/public-disclosure-denial-of-service-using-htlc-in-cashu/2090mitre
- github.com/cashubtc/nuts/blob/main/07.mdmitre
- github.com/cashubtc/nuts/blob/main/14.mdmitre
- github.com/jamesob/delving-bitcoin-archive/blob/master/archive/rendered-topics/2025-11-November/2025-11-02-public-disclosure-denial-of-service-using-htlc-in-cashu-id2090.mdmitre
- preimage007.github.iomitre
News mentions
0No linked articles in our index yet.