Home > Vulnerability Database > CVE-2024-1631

Mend.io Vulnerability Database

CVE-2024-1631

Good to know:

Date: February 20, 2024

Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller.

Language: TYPE_SCRIPT

Severity Score

9.1

Related Resources (7)

Url: https://www.npmjs.com/package/@dfinity/identity/v/1.0.1

Url: https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1631

Url: https://github.com/dfinity/agent-js

Url: https://agent-js.icp.xyz/identity/index.html

Url: https://github.com/dfinity/agent-js/pull/851

Url: https://www.mend.io/vulnerability-database/CVE-2024-1631

Severity Score

9.1

Weakness Type (CWE)

Use of Insufficiently Random Values

CWE-330

Use of Hard-coded Cryptographic Key

CWE-321

Top Fix

Upgrade Version

Upgrade to version @dfinity/identity - 1.0.1,@dfinity/auth-client - 1.0.1

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1631

Good to know:

Date: February 20, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?