Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
- Severity:
- High
Description
Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input
Note that elliptic by design accepts hex strings as one of the possible input types
Recommendation
Update the elliptic package to the latest compatible version. Followings are version details:
- Affected version(s): <= 6.6.0
- Patched version(s): 6.6.1
References
Related Issues
- tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled envir - CVE-2024-49364
- jsrsasign: Missing cryptographic validation during DSA signing enables private key extraction - CVE-2026-4601
- secp256k1-node allows private key extraction over ECDH - CVE-2024-48930
- string-kit Inefficient Regular Expression Complexity vulnerability - CVE-2021-4299
You might also like:
- Tags:
- npm
- elliptic
Anything's wrong? Let us know Last updated on February 23, 2025