Buffer Package Vulnerability in tiny-secp256k1 by BitcoinJS
CVE-2024-49365

8.1HIGH

Key Information:

Vendor: Bitcoinjs
Status: Tiny-secp256k1
Vendor: CVE Published:; 1 July 2025

What is CVE-2024-49365?

The tiny-secp256k1 JavaScript library has a vulnerability present in versions before 1.1.7, where a maliciously crafted JSON-stringifyable message can bypass security checks when the global Buffer is sourced from the NPM buffer package. This leads to distorted message validation, allowing erroneous objects to be processed as valid messages. Consequently, the verify() function could yield false-positive results. Users are urged to upgrade to version 1.1.7 to ensure proper validation and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

tiny-secp256k1 < 1.1.7

References

https://github.com/bitcoinjs/tiny-secp256k1/security/advi...

x_refsource_CONFIRM

https://github.com/bitcoinjs/tiny-secp256k1/pull/140

x_refsource_MISC

CVSS V4

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jul 1, 2025
Vulnerability Reserved
Oct 14, 2024

JSON

Bitcoinjs