Full Disclosure: Debug console history storing sensitive info in bitcoin core v24.0-v30.0
146 views
Skip to first unread message
/dev /fd0
Oct 24, 2025, 12:26:25 PMOct 24
to Bitcoin Development Mailing List, secu...@bitcoincore.org
Hi everyone,
This is a disclosure of a low-severity vulnerability that exists in all bitcoin core versions from v24.0 to v30.0. It has already been reported in a GitHub [issue][0] and shared on social media. However, I wanted to formally disclose it on the mailing list so that all users are aware of the risks. The full disclosure approach is primarily used when vulnerabilities are ignored. It is exactly what happened in this case although it has been [fixed][1] in bitcoin knots which also persists the history to disk.
Some RPC commands use private keys, wallet passphrase etc. in their arguments and this remained in the debug console history until [2016][2]. An attacker can no longer see the history and get sensitive information with the history filter. However, [`migratewallet`][3] wasn't added in the history filter. This allows an attacker with access to the victim's machine to get the wallet passphrase from the history. GUI has an option to migrate the wallet without using RPC commands in the debug console since v26.0 but some users may prefer RPC over it.
```
// don't add private key handling cmd's to the history
const QStringList historyFilter = QStringList()
<< "signmessagewithprivkey"
<< "signrawtransactionwithkey"
<< "walletpassphrase"
<< "walletpassphrasechange"
<< "encryptwallet";
}
```
```
// don't add private key handling cmd's to the history
const QStringList historyFilter = QStringList()
<< "signmessagewithprivkey"
<< "signrawtransactionwithkey"
<< "walletpassphrase"
<< "walletpassphrasechange"
<< "encryptwallet";
}
```
Timeline:
02 October 2025: User [reported][4] the issue in bitcoin knots telegram group
02 October 2025: I opened the pull request to fix the issue in knots repo
11 October 2025: [knots v29.2][5] released with the fix
02 October 2025: User [reported][4] the issue in bitcoin knots telegram group
02 October 2025: I opened the pull request to fix the issue in knots repo
11 October 2025: [knots v29.2][5] released with the fix
11 October 2025: I acknowledged the bug in bitcoin core repo and waketraindev opened a [pull request][6] to fix it
24 October 2025: Full disclosure as bitcoin core remains vulnerable
Credits:
24 October 2025: Full disclosure as bitcoin core remains vulnerable
Credits:
waketraindev
lukedashjr
[2]: https://github.com/bitcoin/bitcoin/pull/8877
[3]: https://bitcoincore.org/en/doc/30.0.0/rpc/wallet/migratewallet/
[4]: https://t.me/Bitcoin_Knots/12784
[5]: https://github.com/bitcoinknots/bitcoin/releases/tag/v29.2.knots20251010
[6]: https://github.com/bitcoin-core/gui/pull/901
/dev/fd0
floppy disk guy
[3]: https://bitcoincore.org/en/doc/30.0.0/rpc/wallet/migratewallet/
[4]: https://t.me/Bitcoin_Knots/12784
[5]: https://github.com/bitcoinknots/bitcoin/releases/tag/v29.2.knots20251010
[6]: https://github.com/bitcoin-core/gui/pull/901
/dev/fd0
floppy disk guy
Reply all
Reply to author
Forward
0 new messages