Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mYzloLXdocTItdjc0N84ABARZ

Valid ECDSA signatures erroneously rejected in Elliptic

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Permalink: https://github.com/advisories/GHSA-fc9h-whq2-v747
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mYzloLXdocTItdjc0N84ABARZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 2 days ago
Updated: about 5 hours ago

Identifiers: GHSA-fc9h-whq2-v747, CVE-2024-48948
References:

Repository: https://github.com/indutny/elliptic
Blast Radius: 0.0

Affected Packages

npm:elliptic

Dependent packages: 2,976
Dependent repositories: 667,005
Downloads: 45,179,540 last month
Affected Version Ranges: <= 6.5.7
No known fixed version
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.15.9, 0.15.10, 0.15.11, 0.15.12, 0.15.13, 0.15.14, 0.15.15, 0.15.17, 0.16.0, 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.0.2, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 4.0.0, 4.1.0, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7