Listen to this Post
How the CVE Works
The vulnerability occurs when the `tiny-secp256k1` library (v1.x) processes malicious JSON-stringifyable messages in environments using the `buffer` npm package. The `Buffer.isBuffer` check can be bypassed, allowing crafted objects to be accepted as valid messages. Attackers can exploit this by constructing a malicious payload matching a known message/signature pair, tricking `verify()` into returning a false-positive true. This affects browser bundles and React Native apps. The v2.x branch is unaffected due to strict `Uint8Array` verification.
DailyCVE Form
Platform: Node.js/npm
Version: tiny-secp256k1 (<2.0)
Vulnerability: Buffer spoofing
Severity: Critical
Date: 2023-05-15
Prediction: Patch by 2023-06-10
What Undercode Say
npm audit --production | grep tiny-secp256k1 curl -s https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588
How Exploit
const fakeMsg = {
type: "Buffer",
data: [83, 101, 99, 117, 114, 101, 32, 99, 111, 110, 116, 97, 105, 110, 32, 112, 114, 111, 116, 101, 99, 116]
};
tiny.verify(fakeMsg, publicKey, signature); // Returns true
Protection from this CVE
- Upgrade to tiny-secp256k1 v2.x.
- Validate inputs as
Uint8Array. - Avoid `Buffer` polyfills in browsers.
Impact
- False-positive signature verification.
- Spoofed data integrity.
- Chainable with other exploits.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
