Vulnerability DatabaseGHSA-84c3-j8r2-mcm8

GHSA-84c3-j8r2-mcm8:
JavaScript vulnerability analysis and mitigation

Overview

A critical vulnerability was discovered in the @nfid/embed SDK and @dfinity/auth-client library affecting versions >=0.20.0-beta.0 and <1.0.1. The issue involves compromised Ed25519 key generation where the library failed to generate secure random seeds for key pairs, instead using an insecure seed that resulted in a compromised private key (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe). The vulnerability was disclosed on February 26, 2024, and has been assigned CVE-2024-27084 (GitHub Advisory).

Technical details

The vulnerability stems from the Ed25519KeyIdentity.generate function in the DFINITY auth client library. While the function includes an optional parameter for providing a 32-byte seed value for secret key generation, a recent update compromised the secure randomness generation when no seed value is provided. The vulnerability has been assigned a CVSS score of 9.1 (Critical), with base metrics indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed. The weakness has been categorized under CWE-321 and CWE-330 (AgentJS Advisory).

Impact

The vulnerability exposes users to potential loss of funds on ledgers and unauthorized access to canisters they control. Since the private key is compromised, attackers could gain access to any assets or resources associated with the affected principal on ledgers or lose control over canisters where this principal is the controller (GitHub Advisory).

Mitigation and workarounds

Users are advised to upgrade to version 1.0.1 of @dfinity/auth-client and @dfinity/identity packages, or @nfid/embed version 0.10.1-alpha.6 or higher. For developers unable to upgrade, temporary workarounds include invoking Ed25519KeyIdentity.generate(null) to force secure random seed generation or passing a securely generated randomness as a seed. Users should check their canister controllers and remove the compromised principal, and transfer any funds from affected wallet accounts to new accounts immediately (AgentJS Advisory).

Additional resources

Source: This report was generated using AI

Related JavaScript vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-22787	HIGH	8.7	JavaScript	html2pdf.js	No	Yes	Jan 14, 2026
CVE-2026-22820	MEDIUM	6.3	JavaScript	outray	No	Yes	Jan 14, 2026
CVE-2026-22819	MEDIUM	5.9	JavaScript	outray	No	Yes	Jan 14, 2026
CVE-2026-22036	LOW	3.7	JavaScript	node-undici	No	Yes	Jan 14, 2026
GHSA-73rr-hh4g-fpgx	LOW	N/A	JavaScript	diff	No	Yes	Jan 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-84c3-j8r2-mcm8: JavaScript vulnerability analysis and mitigation