Bitcoin Core v30 and later relay, index, and expose up to 100,000 bytes of arbitrary OP_RETURN data by default. When an attacker embeds a self-rendering Data URI (e.g., data:image/*;base64,…) inside an OP_RETURN output, Bitcoin Core stores the content and makes it accessible through standard JSON-RPC and REST interfaces. Any client retrieving the transaction through these interfaces receives the Data URI in cleartext, which can be immediately rendered by a web browser or other HTTP-capable software without specialized tooling.
This behavior may unintentionally cause node operators to store, retrieve, or serve content that is harmful, illegal, or high-risk, creating operational, security, and legal exposure for downstream systems.
- Improper Handling of Untrusted Data
- Unsafe Default Configuration
- Exposure of Arbitrary Embedded Content
- Inadvertent Content Hosting via Standard Interfaces
- Bitcoin Core v30.0 and later (default configuration)
- Earlier versions if OP_RETURN relay limits were manually raised above ~83 bytes.
A malicious actor constructs a transaction containing:
OP_RETURN data:image/png;base64,<arbitrary-content>
or any other self-rendering Data URI (SVG, HTML, PDF, scriptable content, etc.). Once the transaction is mined:
- Bitcoin Core nodes download the transaction during normal block sync.
- The node stores the Data URI as cleartext in
blk*.datand LevelDB indexes. - Standard APIs (
getrawtransaction,decoderawtransaction,getblock) expose the payload exactly as transmitted. - Any client, explorer, indexer, or automated system parsing JSON-RPC can inadvertently render the content simply by assigning the string to
img.srcor embedding it in a web view.
-
Confidentiality: Low to High Stored arbitrary data may include sensitive, harmful, or illegal content.
-
Integrity: Low Does not affect blockchain consensus but affects node-operator guarantees.
-
Availability: Medium Large payloads may impact indexers, explorers, and downstream software.
-
Legal & Operational Risk: High Nodes may involuntarily store or serve content that is:
- illegal in certain jurisdictions,
- dangerous to render,
- or harmful to operators and users. Because Data URIs are immediately self-rendering, the barrier for interpretation is extremely low.
-
Broadcast a transaction embedding a Data URI via OP_RETURN.
-
Query any Bitcoin Core v30 node via:
bitcoin-cli getrawtransaction <txid> true -
Observe the presence of a
data:image/...ordata:application/...URI inscriptPubKey.asm. -
Paste the string into a browser’s
img.srcor an HTML<img>tag. -
The embedded content renders instantly.
A reproduction demo can be constructed using only HTML and Bitcoin Core RPC.
Base Score: 7.3 (High) Vector:
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Rationale: Exploitable by anyone able to broadcast a Bitcoin transaction; affects downstream nodes; triggers unintended content hosting; and can expose operators to significant non-technical risk.
- Reduce OP_RETURN relay and acceptance limits to former defaults (e.g., ~83 bytes).
- Add configuration warnings about untrusted embedded data.
- Implement filtering or sanitization of high-risk MIME types.
- Provide opt-in rather than default behavior for large arbitrary data exposure.
- Offer a “safe mode” for node operators in regulated environments.
- Discovered: YYYY-MM-DD
- Reported to project: YYYY-MM-DD
- Public disclosure: Pending assignment
This report was submitted by an independent security researcher concerned with node-operator safety and unintended content exposure.