
Will the adoption of the CVE vulnerability by the U.S. NVD cause the collapse of the inscriptions ecosystem?
TechFlow Selected TechFlow Selected

Will the adoption of the CVE vulnerability by the U.S. NVD cause the collapse of the inscriptions ecosystem?
Inscriptions emerge from vulnerabilities, yet bring a new narrative to the Bitcoin ecosystem.
Author: Fu Ruheshi, Odaily Planet Daily
Today, Yu Xian, founder of security firm SlowMist, posted on X stating that the Bitcoin Ordinals Inscription vulnerability has been officially accepted into the U.S. National Vulnerability Database (NVD), with a CVSS vulnerability severity score of 5.3—classified as medium risk (out of a maximum 10 points).
"The inscription issue has now been assigned a CVE number, which fundamentally legitimizes it and clearly classifies it as a vulnerability. Obtaining a CVE isn't new or particularly rare—many security teams or individuals can apply for one, and we haven’t placed much importance on it... but perhaps players in the Bitcoin ecosystem will take it seriously, since CVE numbers are among the most recognized forms of vulnerability validation in the security industry."
Although Yu Xian repeatedly emphasized that he himself researches and experiments with inscriptions—"I believe inscriptions may have alternative paths forward, and I hope to see better solutions"—the fact that the "inscription vulnerability" has received official recognition from NVD has still sparked debate within the crypto community. Some reject this NVD certification altogether, arguing that a decentralized system like Bitcoin should not be defined by centralized institutions.

(Screenshot of Yu Xian’s post)
Previously, Bitcoin Core developer Luke Dashjr claimed that inscriptions were exploiting a vulnerability in the Bitcoin Core client to flood the blockchain with spam data, a flaw assigned the identifier CVE-2023-50428. However, many crypto investors dismissed this, suggesting that Luke Dashjr secured the CVE based on personal bias and false reasoning, calling it "a shameful abuse of a public security mechanism."

(Screenshot of Luke Dashjr’s post)
For inscription holders, the central concern is whether NVD's recognition implies that the vulnerability must be fixed—and if so, how this might impact the inscription market.
An anonymous security expert told Odaily Planet Daily that vulnerability certification does not necessarily mean it must be patched; whether or not to fix it ultimately depends on Bitcoin Core’s decisions and execution. However, such recognition does lend weight to the narrative that "Bitcoin Ordinals inscriptions are a vulnerability," given the long-standing influence of CVE/NVD in both security and broader tech industries.
"It's also important to note that while platforms like CVE/NVD are highly prominent, countless vulnerabilities they’ve recorded throughout history have either never been fixed or were only addressed much later. This kind of controversy isn’t unique to Bitcoin—such issues should be approached with calm rationality."
Additionally, the expert noted that although CVSS scored this vulnerability at 5.3 (medium severity), it doesn’t imply a threat to the overall security of the blockchain. "CVSS is one of the most well-known and even leading standards in the industry for scoring vulnerabilities, with a maximum of 10 points. A score of 5.3 already speaks volumes—medium severity, not high, certainly not critical. Leaving this medium-risk vulnerability unpatched won’t cause significant harm, or at least no visible short-term impact. As long as inscriptions—including BRC-20 tokens—are being traded or remain active on-chain, they continue to exploit this vulnerability. In Luke Dashjr’s view, this constitutes a spam attack. Spam means junk—nothing more. But whether it truly is junk? That’s subjective. Hence the controversy."
Yu Xian also commented on social media: "A CVE designation doesn’t mean a vulnerability must or should be fixed, especially when the severity rating is low—like the 5.3 medium-risk score for the Bitcoin Ordinals vulnerability. Looking at the details, multiple metrics contribute to the final score, some of which are zero. The 'Impact' metric, for instance, scores only 1.4. Under these circumstances, whether or not to patch ultimately depends on Bitcoin Core’s stance, and whether miners adopt the patch depends on their own incentives."

(Inscription vulnerability scoring)
Currently, the crypto community remains deeply divided over whether inscriptions constitute a "vulnerability." The NVD’s formal adoption of this classification has only intensified the conflict. From a developer’s perspective, identifying and fixing vulnerabilities in a system is a routine and necessary process, regardless of severity. But for the inscription ecosystem—and its many stakeholders—this move feels like cutting off their livelihood.
Today, inscriptions are bringing fresh narratives and renewed vitality to the Bitcoin ecosystem. We hope developers and ecosystem builders can soon reach a consensus and find an optimal solution.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










