Source: node-bn.js Version: 5.2.1+~5.1.1-1 Severity: important Tags: security upstream Forwarded: https://github.com/indutny/bn.js/pull/317 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-bn.js. CVE-2026-2739[0]: | This affects versions of the package bn.js before 5.2.3. Calling | maskn(0) on any BN instance corrupts the internal state, causing | toString(), divmod(), and other methods to enter an infinite loop, | hanging the process indefinitely. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-2739 https://www.cve.org/CVERecord?id=CVE-2026-2739 [1] https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301 [2] https://github.com/indutny/bn.js/issues/316 [3] https://github.com/indutny/bn.js/issues/186 [4] https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91 [5] https://github.com/indutny/bn.js/pull/317 [6] https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b Regards, Salvatore
