VYPR

npm package

tiny-secp256k1

pkg:npm/tiny-secp256k1

Vulnerabilities (2)

  • CVE-2024-49365HigJul 1, 2025
    affected < 1.1.7fixed 1.1.7

    tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer

  • CVE-2024-49364HigJul 1, 2025
    affected < 1.1.7fixed 1.1.7

    tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer packag