Full Disclosure: Debug console history storing sensitive info in bitcoin core v24.0-v30.0

A low-severity vulnerability has been identified affecting all versions of Bitcoin Core from v24.0 to v30.0. This issue, which concerns the potential exposure of sensitive information such as private keys and wallet passphrases through debug console history, was initially reported on GitHub and highlighted across social media platforms. Despite the implementation of a history filter in 2016 designed to prevent such exposures by excluding specific RPC commands from the debug console's history, the migratewallet command was overlooked and not included in this filter. Consequently, if an attacker gains access to a user's machine, they could potentially retrieve the wallet passphrase from the console history.

The graphical user interface (GUI) introduced in version 26.0 of Bitcoin Core offers an alternative method for wallet migration that does not involve using RPC commands in the debug console, providing a safer option for users. Nonetheless, there remains a preference among some users for the RPC method, thereby highlighting the importance of addressing this vulnerability.

The timeline for the identification and resolution of this vulnerability began on October 2, 2025, when the issue was first reported within the Bitcoin knots telegram group. Following this report, a pull request was submitted to the knots repository on the same day, leading to the release of knots v29.2 on October 11, 2025, which contained the necessary fix. Subsequently, the bug was acknowledged in the Bitcoin Core repository, prompting waketraindev to open a pull request to address the issue. The full disclosure on October 24, 2025, aimed to raise awareness among all users due to the ongoing vulnerability within Bitcoin Core.

This disclosure underscores the collaborative efforts within the Bitcoin development community, including contributions from individuals such as waketraindev and lukedashjr, to promptly identify and rectify security vulnerabilities, ensuring the integrity and safety of user data. For more information on the updated version containing the fix, users can refer to the knots v29.2 release notes.