CVE-2024-49364: 
JavaScript vulnerability analysis and mitigation

tiny-secp256k1, a tiny secp256k1 native/JS wrapper, was found to contain a critical vulnerability (CVE-2024-49364) prior to version 1.1.7. The vulnerability affects environments where require('buffer') is the NPM buffer package, such as browser bundles and React Native apps. The issue was discovered and disclosed in June 2025 (GitHub Advisory).

The vulnerability stems from a bypass of the Buffer.isBuffer check when signing a malicious JSON-stringifiable object. This bypass results in k reuse for different messages, which can lead to private key extraction through a single invalid message along with a second message/signature pair. The vulnerability is particularly concerning as it only requires a single malicious message to be signed for complete key extraction (GitHub Advisory).

The vulnerability allows for full private key extraction when signing a single malicious message that passes JSON.stringify/JSON.parse and can be received from the network. This is particularly severe as signing a single message should not result in private key exposure, even in cases where attacker-controlled messages are being signed (GitHub Advisory).

The vulnerability has been patched in version 1.1.7 of tiny-secp256k1. Users are strongly advised to upgrade to this version or later. The fix involves proper validation of input types and prevention of Buffer.isBuffer check bypass (GitHub Pull).