Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
- Severity:
- High
Description
Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input
Note that elliptic by design accepts hex strings as one of the possible input types
Recommendation
Update the elliptic package to the latest compatible version. Followings are version details:
- Affected version(s): <= 6.6.0
- Patched version(s): 6.6.1
References
Related Issues
- tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled envir - CVE-2024-49364
- secp256k1-node allows private key extraction over ECDH - CVE-2024-48930
- ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding in jsrsasign - CVE-2020-14966
- Improper Key Verification in ipns - Vulnerability
- Tags:
- npm
- elliptic
Anything's wrong? Let us know Last updated on February 23, 2025