GHSA-7mc2-6phr-23xc

Опубликовано: 30 июн. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.1

Описание

tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment

Summary

Private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is buffer package

Details

This affects only environments where require('buffer') is https://npmjs.com/buffer E.g.: browser bundles, React Native apps, etc.

Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one)

v2.x is unaffected as it verifies input to be an actual Uint8Array instance

Such a message can be constructed for any already known message/signature pair, meaning that the attack needs only a single malicious message being signed for a full key extraction

While signing unverified attacker-controlled messages would be problematic itself (and exploitation of this needs such a scenario), signing a single message still should not leak the private key

Also, message validation could have the same bug (out of scope for this report, but could be possible in some situations), which makes this attack more likely when used in a chain

https://github.com/bitcoinjs/tiny-secp256k1/pull/140 is a subtle fix for this

PoC

This code deliberately doesn't provide funnyBuffer and extractTiny for now, could be updated later

import secp256k1 from 'tiny-secp256k1' import crypto from 'crypto' const key = crypto.randomBytes(32) const msg0 = crypto.randomBytes(32) const sig0 = secp256k1.sign(msg0, key).toString('hex') const msg1 = funnyBuffer(msg0) const sig1 = secp256k1.sign(msg1, key).toString('hex') const restored = extractTiny(msg0, sig0, sig1) console.log('Guesses:', JSON.stringify(restored, undefined, 2)) const recheck = (k) => secp256k1.sign(msg0, Buffer.from(k, 'hex')).toString('hex') === sig0 console.log('Rechecked:', JSON.stringify(restored.filter(recheck))) console.log('Actual key', key.toString('hex'))

Output:

Guesses: [ "8f351953047e6b149e0595547e7d10a8a1edc61bd519b5b2514202a495e434ed", "ebc81e1632a1b3255589ba84364949a0a6fd0229444519765570706d394671dd" ] Rechecked: ["ebc81e1632a1b3255589ba84364949a0a6fd0229444519765570706d394671dd"] Actual key ebc81e1632a1b3255589ba84364949a0a6fd0229444519765570706d394671dd

Impact

Full private key extraction when signing a single malicious message (that passes JSON.stringify/JSON.parse and can come from network)

Ссылки

Пакеты

Наименование

tiny-secp256k1

npm

Затронутые версииВерсия исправления

<= 1.1.6

1.1.7

EPSS

Процентиль: 19%

0.00058

Низкий

8.1 High

CVSS4

CVE ID

CVE-2024-49364

Дефекты

CWE-522

Связанные уязвимости

CVE-2024-49364

nvd

7 месяцев назад

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7.

EPSS

Процентиль: 19%

0.00058

Низкий

8.1 High

CVSS4

CVE ID

CVE-2024-49364

Дефекты

CWE-522