High severityNVD Advisory· Published Jul 1, 2025· Updated Apr 15, 2026

CVE-2024-49364

Description

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tiny-secp256k1npm	< 1.1.7	1.1.7

Patches

fc53db79af6e

https://github.com/bitcoinjs/tiny-secp256k1via osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7mc2-6phr-23xcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-49364ghsaADVISORY
github.com/bitcoinjs/tiny-secp256k1/pull/140nvdWEB
github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-7mc2-6phr-23xcnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000