CVE-2024-49365
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-07-01

Last updated on: 2025-07-03

Assigner: GitHub, Inc.

Description
tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-01
Last Modified
2025-07-03
Generated
2026-05-07
AI Q&A
2025-07-01
EPSS Evaluated
2026-05-05
NVD
CVE-2024-49365
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2024-49365 is a critical vulnerability in the tiny-secp256k1 npm package versions up to 1.1.6. It affects environments where the global Buffer object is provided by the 'buffer' package, such as browser bundles or React Native apps. The vulnerability allows attackers to bypass the Buffer.isBuffer check in the verify() function by passing specially crafted JSON-stringifyable objects as messages. This causes verify() to return false-positive true values, meaning malicious messages can be incorrectly validated as legitimate. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to craft malicious messages that pass verification checks for known valid message/signature pairs. As a result, invalid signatures could be falsely validated, potentially leading to unauthorized actions or acceptance of malicious data in applications relying on tiny-secp256k1 for signature verification. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying if your environment uses tiny-secp256k1 versions up to 1.1.6 with the global Buffer object provided by the 'buffer' package. Detection involves checking the package version and whether the 'buffer' package is used as the global Buffer. There are no specific network detection commands provided. You can check the installed version of tiny-secp256k1 with the command: npm list tiny-secp256k1. Also, inspect your environment to see if the 'buffer' package is used globally, especially in browser bundles or React Native apps. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade tiny-secp256k1 to version 1.1.7 or later, where the vulnerability has been fixed. Additionally, consider upgrading to version 2.x, which enforces stricter input types (Uint8Array) and is not affected by this issue. Avoid using environments where the global Buffer object is provided by the 'buffer' package if possible, or ensure proper validation of inputs to the verify() function. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart