Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)

Severity:: High

Description

Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input

Note that elliptic by design accepts hex strings as one of the possible input types

Recommendation

Update the elliptic package to the latest compatible version. Followings are version details:

Affected version(s): <= 6.6.0
Patched version(s): 6.6.1

References

GHSA-vjh7-7g9h-fjfh
CWE-200
OWASP 2021-A1

Related Issues

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes - CVE-2025-53892
Elliptic's verify function omits uniqueness validation - CVE-2024-48949
Signature Malleabillity in elliptic - CVE-2020-13822
Elliptic's EDDSA missing signature length check - CVE-2024-42459

Tags:: npm; elliptic

Anything's wrong? Let us know Last updated on February 23, 2025