CVE-2025-65548

|
CVE-2025-65548 vulnerability security critical severity CVE database cashu nutshell preimage hash denial of service database filling

Summary

CVE-2025-65548 is a critical vulnerability affecting cashu nutshell versions prior to 0.18.0. The vulnerability stems from a lack of proper validation of preimage sizes when cashu tokens created with a preimage hash are spent, allowing an attacker to potentially fill the mint's database and disk with arbitrary data, leading to a denial-of-service condition.

Technical Details

The vulnerability lies in the insufficient validation of the preimage size during the spending process of cashu tokens. Specifically, NUT-14 allows the creation of cashu tokens with a preimage hash. However, versions of nutshell before 0.18.0 fail to adequately check the size of the preimage when these tokens are redeemed. An attacker can exploit this by crafting tokens with excessively large preimages. When these tokens are spent, the mint stores the oversized preimage in its database. Repeated spending of such tokens can rapidly consume disk space and database resources, ultimately leading to a denial-of-service (DoS) condition for the mint.

The core issue is the missing size check within the `nutshell` codebase during the preimage validation step. This oversight allows for the injection of arbitrary data into the mint's storage, bypassing intended security measures.

Affected Products and Versions

  • cashu nutshell versions prior to 0.18.0

Impact Assessment

Successful exploitation of CVE-2025-65548 can lead to a denial-of-service condition for the cashu mint. This can disrupt the mint's ability to process transactions and serve legitimate users.

  • Denial of Service: The primary impact is the inability of the mint to function correctly due to resource exhaustion.
  • Data Storage Exhaustion: The mint's database and disk space can be rapidly filled with arbitrary data, leading to storage exhaustion.
  • Reputation Damage: Service outages can damage the reputation of the cashu mint.

Remediation

Immediate Actions

  • Upgrade to cashu nutshell version 0.18.0 or later. This version includes the necessary validation checks to prevent the exploitation of this vulnerability.
  • Monitor disk space usage on the mint server to detect potential attacks.
  • Implement rate limiting on token spending to mitigate the impact of potential attacks.

Long-term Solutions

  • Regularly review and update the cashu nutshell codebase to address potential security vulnerabilities.
  • Implement robust input validation and sanitization techniques to prevent the injection of malicious data.
  • Conduct thorough security testing of cashu nutshell deployments to identify and address potential vulnerabilities.

References

Detection & Scanning

This vulnerability can be detected by monitoring the size of preimages being processed by the cashu mint. Excessive preimage sizes are a strong indicator of potential exploitation. Additionally, monitoring disk space and database resource usage can help identify ongoing attacks.

Scan Your Website

Secably AI Scanner can detect this and 50+ other vulnerabilities automatically.

Start Free Scan

Scan Your Website for Vulnerabilities

Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.

Start Free Scan