{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49365", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-14T13:56:34.810Z", "datePublished": "2025-07-01T02:07:02.922Z", "dateUpdated": "2025-07-01T13:18:55.447Z"}, "containers": {"cna": {"title": "tiny-secp256k1 allows for verify() bypass when running in bundled environment", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m"}, {"name": "https://github.com/bitcoinjs/tiny-secp256k1/pull/140", "tags": ["x_refsource_MISC"], "url": "https://github.com/bitcoinjs/tiny-secp256k1/pull/140"}], "affected": [{"vendor": "bitcoinjs", "product": "tiny-secp256k1", "versions": [{"version": "< 1.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-01T02:07:02.922Z"}, "descriptions": [{"lang": "en", "value": "tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7."}], "source": {"advisory": "GHSA-5vhg-9xg4-cv9m", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-01T13:18:50.250655Z", "id": "CVE-2024-49365", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-01T13:18:55.447Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49365", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-01T13:18:50.250655Z"}}}], "references": [{"url": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-01T13:18:02.984Z"}}], "cna": {"title": "tiny-secp256k1 allows for verify() bypass when running in bundled environment", "source": {"advisory": "GHSA-5vhg-9xg4-cv9m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bitcoinjs", "product": "tiny-secp256k1", "versions": [{"status": "affected", "version": "< 1.1.7"}]}], "references": [{"url": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m", "name": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bitcoinjs/tiny-secp256k1/pull/140", "name": "https://github.com/bitcoinjs/tiny-secp256k1/pull/140", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-01T02:07:02.922Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49365", "state": "PUBLISHED", "dateUpdated": "2025-07-01T13:18:55.447Z", "dateReserved": "2024-10-14T13:56:34.810Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-01T02:07:02.922Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7."}, {"lang": "es", "value": "tiny-secp256k1 es un peque\u00f1o contenedor nativo/JS para secp256k1. Antes de la versi\u00f3n 1.1.7, se pod\u00eda crear un mensaje malicioso que se pudiera convertir en cadena JSON al pasar por verify() cuando el paquete de b\u00fafer es global B\u00fafer. Esto solo afecta a entornos donde require('b\u00fafer') es el paquete de b\u00fafer de NPM. Se puede omitir la comprobaci\u00f3n de Buffer.isBuffer, lo que provoca que se acepten objetos extra\u00f1os como mensaje, y estos mensajes podr\u00edan enga\u00f1ar a verify() para que devuelva valores verdaderos falsos positivos. Este problema se ha corregido en la versi\u00f3n 1.1.7."}], "id": "CVE-2024-49365", "lastModified": "2025-07-03T15:14:12.767", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-01T03:15:21.327", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/bitcoinjs/tiny-secp256k1/pull/140"}, {"source": "security-advisories@github.com", "url": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}