Buffer Package Vulnerability in tiny-secp256k1 by BitcoinJS
CVE-2024-49365

8.1HIGH

Key Information:

Vendor: Bitcoinjs
Status: Tiny-secp256k1
Vendor: CVE Published:; 1 July 2025

What is CVE-2024-49365?

The tiny-secp256k1 JavaScript library has a vulnerability present in versions before 1.1.7, where a maliciously crafted JSON-stringifyable message can bypass security checks when the global Buffer is sourced from the NPM buffer package. This leads to distorted message validation, allowing erroneous objects to be processed as valid messages. Consequently, the verify() function could yield false-positive results. Users are urged to upgrade to version 1.1.7 to ensure proper validation and security.

Affected Version(s)

tiny-secp256k1 < 1.1.7

References

https://github.com/bitcoinjs/tiny-secp256k1/security/advi...

x_refsource_CONFIRM

https://github.com/bitcoinjs/tiny-secp256k1/pull/140

x_refsource_MISC

CVSS V4

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2025
Vulnerability Reserved
Oct 14, 2024

Bitcoinjs

What is CVE-2024-49365?

Affected Version(s)

References

CVSS V4

Timeline