We are releasing version 2.0.2 to address a vulnerability affecting stores using the Blink or Nostr plugins together with pull payments and payouts (most commonly used for refunds and Bolt cards).
https://github.com/btcpayserver/btcpayserver/releases/tag/v2.0.2
If your setup relies on these functionalities, we strongly recommend immediately updating your Nostr plugin to the latest version and BTCPay Server to 2.0.2 to mitigate this issue.
Please note that regular users operating LND or CLN nodes were not impacted on all versions.
If you run BTCPay Server 1.x and you use pull payments with NwC (Nostr wallet Connect) - please update to BTCPay Server 2.0.2 and update the Nostr Plugin.
If you opted into BTCPay Server 2.0 and are using blinkbtc plugin with pull payment - please update to BTCPay Server 2.0.2.
Our thanks to itstomek petzsch leinert for responsibly disclosing and alerting us of this issue.
btcpayserver / BTCPay Server
npub155…cdcvg
2024-11-09 16:55:09
Author Public Key
npub155m2k8ml8sqn8w4dhh689vdv0t2twa8dgvkpnzfggxf4wfughjsq2cdcvgPublished at
2024-11-09 16:55:09Event JSON
{
"id": "f831e5d306b31d794b78a7545d0d82a46a3e73523678fe5741d46ca560af1fda",
"pubkey": "a536ab1f7f3c0133baadbdf472b1ac7ad4b774ed432c1989284193572788bca0",
"created_at": 1731171309,
"kind": 1,
"tags": [],
"content": "We are releasing version 2.0.2 to address a vulnerability affecting stores using the Blink or Nostr plugins together with pull payments and payouts (most commonly used for refunds and Bolt cards).\n\nhttps://github.com/btcpayserver/btcpayserver/releases/tag/v2.0.2\n\nIf your setup relies on these functionalities, we strongly recommend immediately updating your Nostr plugin to the latest version and BTCPay Server to 2.0.2 to mitigate this issue.\n\nPlease note that regular users operating LND or CLN nodes were not impacted on all versions.\n\nIf you run BTCPay Server 1.x and you use pull payments with NwC (Nostr wallet Connect) - please update to BTCPay Server 2.0.2 and update the Nostr Plugin.\n\nIf you opted into BTCPay Server 2.0 and are using blinkbtc plugin with pull payment - please update to BTCPay Server 2.0.2.\n\nOur thanks to itstomek petzsch leinert for responsibly disclosing and alerting us of this issue.",
"sig": "972f4f629ca12604816c8500358ffde473e3a66a656c2eb2874005c636ce85e83eb8f37624b949500c7c925617fc7c6294d9d27b8a4657185899bca4cef0cdc9"
}