tiny-secp256k1 Buffer Package Vulnerability in Message Verification

A vulnerability exists in tiny-secp256k1 versions prior to 1.1.7, specifically in environments where the NPM buffer package is used. The issue arises because a malicious message that can be serialized into JSON can bypass the Buffer.isBuffer check. This allows strange objects to be accepted as messages, potentially causing the verify() function to incorrectly validate signatures. The vulnerability could be exploited by crafting a message that, when verified, would be accepted as valid despite being fraudulent.

Impact

Exploitation of this vulnerability allows for the creation of malicious messages that can be falsely verified as legitimate by the verify() function, potentially leading to incorrect validation of signatures.

Reproduction

The vulnerability can be reproduced by using tiny-secp256k1 version 1.1.6 in an environment that includes the NPM buffer package, such as a browser bundle or a React Native application. After importing tiny-secp256k1 and generating a key pair, a valid signature can be created by signing a Buffer filled with data. This signature can then be used to craft a payload that, when parsed and processed, will be incorrectly verified as valid by the verify() function.

Remediation

Users can update to tiny-secp256k1 version 1.1.7, which addresses this vulnerability by ensuring that the verify() function correctly validates messages against the Buffer.isBuffer check.