CVE-2024-49365: 
JavaScript vulnerability analysis and mitigation

tiny-secp256k1, a tiny secp256k1 native/JS wrapper, was found to contain a vulnerability (CVE-2024-49365) prior to version 1.1.7. The vulnerability was discovered and disclosed on June 29, 2025, affecting environments where require('buffer') is the NPM buffer package, such as browser bundles and React Native apps (GitHub Advisory).

The vulnerability allows a malicious JSON-stringifyable message to bypass verification in the verify() function when the global Buffer is the buffer package. The Buffer.isBuffer check can be circumvented, allowing strange objects to be accepted as messages, which could trick verify() into returning false-positive true values. The vulnerability is tracked as CWE-347 (Improper Verification of Cryptographic Signature) and has received a CVSS v4.0 score of 8.1 (HIGH) (GitHub Advisory).

The vulnerability enables attackers to craft malicious messages that could be verified from any given known valid message/signature pair. This could lead to the acceptance of unauthorized or malicious messages as valid, potentially compromising the security of systems relying on the signature verification (GitHub Advisory).

The vulnerability has been patched in version 1.1.7 of tiny-secp256k1. Users are advised to upgrade to this version to address the security issue. It's worth noting that v2.x of the library is unaffected as it verifies input to be an actual Uint8Array instance (GitHub Advisory, GitHub PR).