CVE-2024-49365: 
JavaScript vulnerability analysis and mitigation

tiny-secp256k1, a native/JS wrapper for secp256k1, was found to contain a critical vulnerability (CVE-2024-49365) affecting versions prior to 1.1.7. The vulnerability allows malicious JSON-stringifyable messages to bypass verification checks when the global Buffer is the buffer package, specifically in environments where require('buffer') is the NPM buffer package (GitHub Advisory).

The vulnerability stems from a bypass in the Buffer.isBuffer check, which allows arbitrary objects to be accepted as valid messages. These malicious messages could trick the verify() function into returning false-positive true values. This issue specifically affects browser bundles and React Native apps where the buffer package from npmjs.com is used. The vulnerability is particularly concerning as it allows crafting malicious messages for any known message/signature pair (GitHub Advisory).

The vulnerability enables attackers to craft malicious messages that could be verified as valid from a given known message/signature pair. This could lead to the acceptance of unauthorized or malicious data in systems relying on secp256k1 signature verification. The issue is rated as Critical due to its potential impact on cryptographic verification systems (GitHub Advisory).

The vulnerability has been patched in version 1.1.7 of tiny-secp256k1. Users are strongly advised to upgrade to this version. The fix was implemented through PR #140, which adds proper Uint8Array input type support and includes additional validation checks (GitHub PR).