CVE-2024-49365

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7.

CVSS

No CVSS.

References

Link	Resource
https://github.com/bitcoinjs/tiny-secp256k1/pull/140
https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m
https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m

Configurations

No configuration.

History

03 Jul 2025, 15:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-01 03:15

Updated : 2025-07-03 15:14

NVD link : CVE-2024-49365

Mitre link : CVE-2024-49365

CVE.ORG link : CVE-2024-49365

JSON object : View

Products Affected

No product.

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2024-49365", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-01T03:15:21.327", "references": [{"url": "https://github.com/bitcoinjs/tiny-secp256k1/pull/140", "source": "security-advisories@github.com"}, {"url": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m", "source": "security-advisories@github.com"}, {"url": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7."}, {"lang": "es", "value": "tiny-secp256k1 es un peque\u00f1o contenedor nativo/JS para secp256k1. Antes de la versi\u00f3n 1.1.7, se pod\u00eda crear un mensaje malicioso que se pudiera convertir en cadena JSON al pasar por verify() cuando el paquete de b\u00fafer es global B\u00fafer. Esto solo afecta a entornos donde require('b\u00fafer') es el paquete de b\u00fafer de NPM. Se puede omitir la comprobaci\u00f3n de Buffer.isBuffer, lo que provoca que se acepten objetos extra\u00f1os como mensaje, y estos mensajes podr\u00edan enga\u00f1ar a verify() para que devuelva valores verdaderos falsos positivos. Este problema se ha corregido en la versi\u00f3n 1.1.7."}], "lastModified": "2025-07-03T15:14:12.767", "sourceIdentifier": "security-advisories@github.com"}