CVE-2025-64702 vulnerabilities

Vulnerabilities for packages: spegel, ipfs-cluster, dkron, frp, seaweedfs, traefik, kubernetes-dns-node-cache, q, buf, caddy, teleport, kargo, k8sgateway, k3s, kubo...

EUVD-2025-179959

Malicious code in buffer-package-bionics-graphql npm...

Malicious code in buffer-package-bionics-graphql (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1fd405157c2817e145d01f5a76694010a00124749169424ea157e463f04adb5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-115939

Malicious code in buffer-nuxtjs-webdriverio-standard npm...

EUVD-2024-54990

Malicious code in bioql PyPI...

EUVD-2024-54991

Malicious code in bioql PyPI...

CVE-2024-49364

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. The...

Private Key Extraction

tiny-secp256k1 is vulnerable to private key extraction. The vulnerability is due to the ability to bypass Buffer.isBuffer checks when the global Buffer is overridden by the NPM buffer package, which allows an attacker to reuse the nonce k across different messages and extract the private key by...

CVE-2024-49365

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. Buffer.isBuffer check can b...

CVE-2024-49364 tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. The...

CVE-2024-49364 tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. The...

CVE-2024-49365 tiny-secp256k1 allows for verify() bypass when running in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. Buffer.isBuffer check can b...

CVE-2024-49365

The CVE-2024-49365 issue affects tiny-secp256k1 prior to 1.1.7, where in environments using the Node buffer package, Buffer.isBuffer can be bypassed and a crafted JSON-stringifiable object could be accepted by verify(), potentially causing false-positive True values. The root cause is a vulnerabi...

CVE-2024-49365 tiny-secp256k1 allows for verify() bypass when running in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. Buffer.isBuffer check can b...

GHSA-5VHG-9XG4-CV9M tiny-secp256k1 allows for verify() bypass when running in bundled environment

Summary A malicious JSON-stringifyable message can be made passing on verify, when global Buffer is buffer package Details This affects only environments where require'buffer' is E.g.: browser bundles, React Native apps, etc. Buffer.isBuffer check can be bypassed, resulting in strange objects bei...

GHSA-7MC2-6PHR-23XC tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment

Summary Private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is buffer package Details This affects only environments where require'buffer' is E.g.: browser bundles, React Native apps, etc. Buffer.isBuffer check can be bypassed, resulting in k reuse fo...

tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment

Summary Private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is buffer package Details This affects only environments where require'buffer' is E.g.: browser bundles, React Native apps, etc. Buffer.isBuffer check can be bypassed, resulting in k reuse fo...

PT-2025-27492 · Unknown · Tiny-Secp256K1

Name of the Vulnerable Software and Affected Versions: tiny-secp256k1 versions prior to 1.1.7 Description: A private key can be extracted when signing a malicious JSON-stringifiable object, affecting environments where the global Buffer is the buffer package. The Buffer.isBuffer check can be...

CVE-2025-3194

CVE-2025-3194 concerns the npm package bigint-buffer. The vulnerability affects versions starting at 0.0.0 and later, where the function toBigIntLE() contains a buffer overflow that can cause the application to crash. Multiple sources consistently describe the root cause as improper bounds checki...