CVE-2024-49365

Name of the Vulnerable Software and Affected Versions: tiny-secp256k1 versions prior to 1.1.7

Description: A malicious JSON-stringifyable message can be made to bypass the Buffer.isBuffer check, resulting in strange objects being accepted as a message. This can trick the verify() function into returning false-positive true values. The issue affects environments where require('buffer') is the NPM buffer package, such as browser bundles and React Native apps. A malicious message can be constructed for any already known message/signature pair, with some restrictions depending on the known message/signature.

Recommendations: For tiny-secp256k1 versions prior to 1.1.7, update to version 1.1.7 or later to resolve the issue. As a temporary workaround, consider adding additional input validation to ensure that only actual Uint8Array instances are accepted as messages. Restrict access to the verify() function to minimize the risk of exploitation. Avoid using the Buffer.isBuffer check alone to verify the integrity of messages.