Login Sign Up

CVE-2025-65548

9.1 CRITICAL
Denial of Service

📋 TL;DR

CVE-2025-65548 is a denial-of-service vulnerability in Cashu implementations that allows attackers to fill a mint's database and disk with arbitrary data by creating tokens with oversized preimages. This affects any system running vulnerable versions of cashubtc/nuts (nutshell) that accept Cashu tokens. The vulnerability enables resource exhaustion attacks against mints.

💻 Affected Systems

Products:
  • cashubtc/nuts (nutshell)
Versions: All versions before 0.18.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any deployment using Cashu tokens with NUT-14 functionality enabled.

📦 What is this software?

Nutshell by Cashu

View all CVEs affecting Nutshell →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service as the mint's database and disk become filled with attacker-controlled data, rendering the service unavailable and potentially causing data corruption.

🟠

Likely Case

Degraded performance and eventual service unavailability as disk space is consumed by malicious preimage data.

🟢

If Mitigated

Minimal impact if proper input validation is implemented to restrict preimage size.

🌐 Internet-Facing: HIGH - Mints accepting tokens from external users are directly exposed to this attack.
🏢 Internal Only: MEDIUM - Internal-only mints are still vulnerable to attacks from authorized users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires creating Cashu tokens with oversized preimages, which is straightforward given the public disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.18.0 and later

Vendor Advisory: https://github.com/cashubtc/nuts/blob/main/07.md

Restart Required: Yes

Instructions:

1. Update to nutshell version 0.18.0 or later. 2. Restart the mint service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Rate limiting

all

Implement rate limiting on token creation endpoints to restrict the volume of malicious requests.

Input validation

all

Manually add preimage size validation before storing in database.

🧯 If You Can't Patch

  • Monitor disk usage and database growth for abnormal patterns
  • Implement network-level restrictions to limit token creation from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check if running nutshell version earlier than 0.18.0 and if NUT-14 functionality is enabled.

Check Version:

nutshell --version or check package manager

Verify Fix Applied:

Confirm version is 0.18.0 or later and test that oversized preimages are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unusually large preimage storage entries
  • Rapid database growth
  • Disk space alerts

Network Indicators:

  • High volume of token creation requests
  • Large payloads in token-related API calls

SIEM Query:

source="mint_logs" AND (message="preimage" AND size>threshold) OR disk_usage>90%

📊 Metadata

CVE ID: CVE-2025-65548
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-1284
EPSS Score: 0.11% exploit probability (29.2th percentile)
Published: December 8, 2025
Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65548, you might also want to check these:

CVE-2024-8887 10.0

CVE-2024-8887 is an authentication bypass vulnerability in CIRCUTOR Q-SMT firmware that allows attac...

Same vulnerability type (CWE-1284)
CVE-2025-55398 9.8

A vulnerability in mouse07410 asn1c through version 0.9.29 allows attackers to bypass INTEGER constr...

Same vulnerability type (CWE-1284)
CVE-2021-31556 9.8

This vulnerability in MediaWiki's OAuth extension allows attackers to cause denial of service or pot...

Same vulnerability type (CWE-1284)