CVE-2024-36277 – This vulnerability in the FreeFrom nostr client... (How to Fix)

Q: What is the severity of CVE-2024-36277?

CVE-2024-36277 has a CVSS score of 5.3 (MEDIUM). This vulnerability in the FreeFrom nostr client allows attackers to inject malicious event data with invalid cryptographic signatures that the app cannot detect. This affects all Android and iOS users running versions prior to 1.3.5, potentially compromising the integrity of their nostr communications.

📋 TL;DR

This vulnerability in the FreeFrom nostr client allows attackers to inject malicious event data with invalid cryptographic signatures that the app cannot detect. This affects all Android and iOS users running versions prior to 1.3.5, potentially compromising the integrity of their nostr communications.

💻 Affected Systems

Products:

FreeFrom - the nostr client

Versions: All versions prior to 1.3.5

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject fake messages, impersonate users, or spread misinformation through the nostr network, undermining trust in the platform.

🟠

Likely Case

Malicious actors could post unauthorized content appearing to come from legitimate users, causing reputation damage and confusion.

🟢

If Mitigated

With proper signature verification, only properly signed events from authenticated users would be accepted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting nostr events with invalid signatures, which is technically straightforward for attackers familiar with the protocol.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.5

Vendor Advisory: https://jvn.jp/en/jp/JVN55045256/

Restart Required: Yes

Instructions:

1. Open Google Play Store or Apple App Store. 2. Search for 'FreeFrom - the nostr client'. 3. Update to version 1.3.5 or later. 4. Restart the app.

🔧 Temporary Workarounds

Disable app until patched

all

Temporarily stop using the vulnerable app version

Use alternative nostr client

all

Switch to a different nostr client application that properly verifies signatures

🧯 If You Can't Patch

Monitor for unusual activity or unexpected messages in the app
Verify important messages through alternative communication channels

🔍 How to Verify

Check if Vulnerable:

Check app version in settings: if version is below 1.3.5, you are vulnerable.

Check Version:

Open FreeFrom app → Settings → About or App Info

Verify Fix Applied:

Confirm app version is 1.3.5 or higher in app settings.

📡 Detection & Monitoring

Log Indicators:

Unusual message patterns
Messages from users that don't match their typical behavior

Network Indicators:

Unexpected nostr event traffic with unusual signature patterns

SIEM Query:

Not applicable for mobile app vulnerability

📊 Metadata

CVE ID: CVE-2024-36277

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-347

Published: June 17, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36277, you might also want to check these: