secp256k1-js implements ECDSA without required r and s validation, leading to signature forgery
- Severity:
- High
Description
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
Recommendation
Update the @lionello/secp256k1-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.1.0
- Patched version(s): 1.1.0
References
Related Issues
- Websites were able to send any requests to the development server and read the response in vite - CVE-2025-24010
- Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - CVE-2023-45133
- Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc - CVE-2025-24981
- Vega Expression Language `scale` expression function Cross Site Scripting (GHSA-4vq7-882g-wcg4) - CVE-2023-26486
- Tags:
- npm
- @lionello/secp256k1-js
Anything's wrong? Let us know Last updated on January 28, 2023