High severityOSV Advisory· Published Jul 1, 2025· Updated Apr 15, 2026

CVE-2024-49365

Description

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tiny-secp256k1npm	< 1.1.7	1.1.7

Affected products

Bitcoinjs/Tiny Secp256k1OSV
Range: v0.0.2, v0.0.3, v0.0.4, …

Patches

fc53db79af6e

https://github.com/bitcoinjs/tiny-secp256k1via osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5vhg-9xg4-cv9mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-49365ghsaADVISORY
github.com/bitcoinjs/tiny-secp256k1/pull/140nvdWEB
github.com/bitcoinjs/tiny-secp256k1/security/advisories/GHSA-5vhg-9xg4-cv9mnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000