Vulnerabilities/

Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)

Severity:
High

Description

Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input

Note that elliptic by design accepts hex strings as one of the possible input types

Recommendation

Update the elliptic package to the latest compatible version. Followings are version details:

References

Related Issues

Tags:
npm
elliptic
Anything's wrong? Let us know Last updated on February 23, 2025