CVE-2024-49365
HIGHtiny-secp256k1 < 1.1.7 - Improper Verification of Cryptographic Signature via Buffer.isBuffer Bypass
Title source: llmDescription
tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7.
References (2)
Core 2
Core References
Issue Tracking x_refsource_misc
https://github.com/bitcoinjs/tiny-secp256k1/pull/140
Vendor Advisory x_refsource_confirm
https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m
Scores
CVSS v4
8.1
EPSS
0.0022
EPSS Percentile
11.7%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-347
Status
published
Products (2)
bitcoinjs/tiny-secp256k1
< 1.1.7
npm/tiny-secp256k1
0 - 1.1.7npm
Published
Jul 01, 2025
Tracked Since
Feb 18, 2026