tiny-secp256k1 0.0.0-rc-1560324438 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the tiny-secp256k1 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Improper Verification of Cryptographic Signature tiny-secp256k1 is an A tiny secp256k1 JS Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the `verify()` function when running in a bundled environment where the global Buffer is provided by the buffer package. An attacker can bypass signature verification by crafting a malicious JSON-stringifiable message that is accepted as valid, allowing false-positive verification results for known message/signature pairs. How to fix Improper Verification of Cryptographic Signature? Upgrade `tiny-secp256k1` to version 1.1.7 or higher.	<1.1.7
C Insufficiently Protected Credentials tiny-secp256k1 is an A tiny secp256k1 JS Affected versions of this package are vulnerable to Insufficiently Protected Credentials while signing a single message in a malicious JSON-stringifiable object in environments where the global buffer is provided by the buffer package. An attacker can extract private keys by crafting a specially constructed message that bypasses input validation in `Buffer.isBuffer` and causes key reuse from previously known valid message/signature pair. How to fix Insufficiently Protected Credentials? Upgrade `tiny-secp256k1` to version 1.1.7 or higher.	<1.1.7

Vulnerability

Vulnerable Version

Improper Verification of Cryptographic Signature

tiny-secp256k1 is an A tiny secp256k1 JS

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the verify() function when running in a bundled environment where the global Buffer is provided by the buffer package. An attacker can bypass signature verification by crafting a malicious JSON-stringifiable message that is accepted as valid, allowing false-positive verification results for known message/signature pairs.

How to fix Improper Verification of Cryptographic Signature?

Upgrade tiny-secp256k1 to version 1.1.7 or higher.

<1.1.7

Insufficiently Protected Credentials

tiny-secp256k1 is an A tiny secp256k1 JS

Affected versions of this package are vulnerable to Insufficiently Protected Credentials while signing a single message in a malicious JSON-stringifiable object in environments where the global buffer is provided by the buffer package. An attacker can extract private keys by crafting a specially constructed message that bypasses input validation in Buffer.isBuffer and causes key reuse from previously known valid message/signature pair.

How to fix Insufficiently Protected Credentials?

Upgrade tiny-secp256k1 to version 1.1.7 or higher.

<1.1.7

tiny-secp256k1@0.0.0-rc-1560324438 vulnerabilities

A tiny secp256k1 JS

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically