216.73.217.98

CVE-2024-49364

· Published 01/07/2025 03:15 · Modified 01/07/2025 14:15

Labels: CVE-2024-49364 2025-07-01CVE-2024-49364CWE-522[email protected]

Essential information

Published
01/07/2025 03:15
Modified
01/07/2025 14:15
Author
Creator
CVSS
8.1 HIGH (v3) 8.1 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
tiny-secp256k1 / tiny-secp256k1 cpe:2.3:a:tiny-secp256k1:tiny-secp256k1:<1.1.7:*:*:*:*:*:*:*

References