QwikSec

Security Database

CVE

CWE

Training

CVE-2025-65548

Published: Dec 8, 2025

Modified: Dec 11, 2025

PUBLISHED

Description

NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to fill the mint's db nd disk with arbitrary data.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://delvingbitcoin.org/t/public-disclosure-denial-of-service-using-htlc-in-cashu/2090

https://github.com/cashubtc/nuts/blob/main/14.md

https://github.com/cashubtc/nuts/blob/main/07.md

https://preimage007.github.io/

https://github.com/jamesob/delving-bitcoin-archive/blob/master/archive/rendered-topics/2025-11-November/2025-11-02-public-disclosure-denial-of-service-using-htlc-in-cashu-id2090.md

https://bitcointalk.org/index.php?topic=5564329

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.