
We found results for “”
CVE-2024-49364
Good to know:


Date: June 30, 2025
tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Insufficiently Protected Credentials
CWE-522Top Fix

Upgrade Version
Upgrade to version tiny-secp256k1 - 1.1.7;tiny-secp256k1 - 1.1.7;https://github.com/bitcoinjs/tiny-secp256k1.git - v1.1.7
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | NONE |