CVE-2019-25220

Published: Nov 18, 2024Modified: May 22, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Bitcoin Core before 24.0.1 allows remote attackers to cause a denial of service (daemon crash) via a flood of low-difficulty header chains (aka a "Chain Width Expansion" attack) because a node does not first verify that a presented chain has enough work before committing to store it.

Affected (1)

Products: Bitcoin: Bitcoin Core

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bitcoin Bitcoin Core	Before 24.0.1

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (3)

https://bitcoincore.org/en/2024/09/18/disclose-headers-oom

Source: cve@mitre.org

Vendor Advisory

https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

Source: cve@mitre.org

Third Party Advisory

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-October/017354.html

Source: cve@mitre.org

Mailing List

Timeline

No history available yet.