CVE intelligence and bounded remediation

CVE-2024-1631 — Dfinity Icp-Js-Core security vulnerability

Critical CVSS 9.1

Impact: The library offers a function to generate an ed25519 key pair via Ed25519KeyIdentity.generate with an optional param to provide a 32 byte seed value, which will then be used as the secret key. When no seed value is provided, it is expected that the library generates the secret key using secure randomness. However, a recent change broke this guarantee and uses an insecure seed for key pair generation. Since the private key of this identity (535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe) is compromised, one could lose funds associated with the principal on ledgers or lose access to a canister where this principal is the controller.

Severity
Critical
CVSS
9.1 (3.1)
Published
2024-02-21
CISA KEV
Not currently listed
Ecosystem
software/application
Weaknesses
CWE-321, CWE-330

Affected products

  • dfinity / icp-js-core

Matched remediation archetype

Cryptography, certificate, signature, and channel validation

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Inventory affected algorithms, key uses, trust stores, certificate validation settings, random sources, and plaintext channels across clients and services.
  • Determine which secrets, identities, signatures, or data protections depend on the affected primitive or validation path.
  • Check debug, compatibility, fallback, and hostname or audience override settings in build and runtime configuration.

Remediate safely

  • Use a maintained platform cryptographic API with approved algorithms, modes, parameters, randomness, and full peer identity validation.
  • Remove insecure fallback and validation bypasses; separate keys by purpose and load them from managed secret storage.
  • Plan rotation or reissuance for affected keys, certificates, tokens, hashes, or ciphertext and document compatibility sequencing.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.