Listen to this Post
How the CVE Works
The vulnerability exists in environments where `require(‘buffer’)` loads the npm `buffer` package (e.g., browser bundles, React Native). By bypassing `Buffer.isBuffer` checks, an attacker can force key (k) reuse during ECDSA signing. A maliciously crafted JSON-stringifiable object triggers this flaw, allowing private key extraction after signing just one malicious message. The attacker needs a single valid message/signature pair to construct the exploit. Version 2.x is unaffected as it enforces `Uint8Array` validation.
DailyCVE Form
Platform: tiny-secp256k1
Version: <2.x
Vulnerability: Key extraction
Severity: Critical
Date: 2021-01-19
Prediction: Patch by 2021-02-15
What Undercode Say
npm audit tiny-secp256k1 --json | grep CVE-2021-23820
const vulnCheck = require('tiny-secp256k1/package.json').version.startsWith('1.');
How Exploit
1. Attacker crafts malicious JSON-stringifiable object.
2. Victim signs it, leaking `k`.
3. Attacker derives private key using known message/signature.
Protection from this CVE
- Upgrade to v2.x.
- Validate inputs as
Uint8Array. - Avoid signing untrusted messages.
Impact
Full private key compromise via single malicious signature.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
