CVE-2024-1631

agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`

Description

Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller.

Category

9.1
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.07%
Affected: Internet Computer agent-js
Published at:
Updated at:

References

Link Tags
https://github.com/dfinity/agent-js/pull/851
https://www.npmjs.com/package/@dfinity/identity/v/1.0.1
https://github.com/dfinity/agent-js
https://agent-js.icp.xyz/identity/index.html
https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3

Frequently Asked Questions

What is the severity of CVE-2024-1631?
CVE-2024-1631 has been scored as a critical severity vulnerability.
How to fix CVE-2024-1631?
To fix CVE-2024-1631, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-1631 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-1631 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-1631?
CVE-2024-1631 affects Internet Computer agent-js.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.