CVE-2024-49364

Name of the Vulnerable Software and Affected Versions: tiny-secp256k1 versions prior to 1.1.7

Description: A private key can be extracted when signing a malicious JSON-stringifiable object, affecting environments where the global Buffer is the buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message. This issue can be exploited by constructing a malicious message for any already known message/signature pair, allowing for full key extraction with a single malicious message being signed.

Recommendations: For tiny-secp256k1 versions prior to 1.1.7, update to version 1.1.7 to resolve the issue. As a temporary workaround, consider validating all input messages to prevent signing unverified attacker-controlled messages. Restrict access to the secp256k1.sign() function to minimize the risk of exploitation. Avoid using the Buffer package from NPM in environments where it can be exploited.