Advisories for Npm/Tiny-Secp256k1 package

2025

tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment

Private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is buffer package

tiny-secp256k1 allows for verify() bypass when running in bundled environment

A malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is buffer package