Is cashu affected by CVE-2025-65548?

PyPI cashu is affected in <0.18.0.

Is CVE-2025-65548 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

critical

CVE-2025-65548

Q: Is CVE-2025-65548 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

PyPI · cashu

Summary

NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell (cashubtc/nuts) before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to fill the mint's db nd disk with arbitrary dat

Severity: critical
EPSS: 0.4% (p27)
Also known as: PYSEC-2025-89
Published: 2025-12-08

References

https://delvingbitcoin.org/t/public-disclosure-denial-of-service-using-htlc-in-cashu/2090
https://preimage007.github.io/
https://bitcointalk.org/index.php?topic=5564329

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.