Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mYzloLXdocTItdjc0N84ABARZ

Valid ECDSA signatures erroneously rejected in Elliptic

The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Permalink: https://github.com/advisories/GHSA-fc9h-whq2-v747
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mYzloLXdocTItdjc0N84ABARZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 month ago
Updated: 15 days ago

CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Identifiers: GHSA-fc9h-whq2-v747, CVE-2024-48948
References:

Repository: https://github.com/indutny/elliptic
Blast Radius: 28.0

Affected Packages

npm:elliptic

Dependent packages: 2,976
Dependent repositories: 667,005
Downloads: 47,744,145 last month
Affected Version Ranges: < 6.6.0
Fixed in: 6.6.0
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.15.7, 0.15.8, 0.15.9, 0.15.10, 0.15.11, 0.15.12, 0.15.13, 0.15.14, 0.15.15, 0.15.17, 0.16.0, 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.0.2, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 4.0.0, 4.1.0, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7
All unaffected versions: 6.6.0, 6.6.1