Signature Malleabillity in elliptic

Severity:: High

Description

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading ‘\0’ bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Recommendation

Update the elliptic package to the latest compatible version. Followings are version details:

Affected version(s): < 6.5.3
Patched version(s): 6.5.3

References

GHSA-vh7m-p724-62c2
medium.com
www.npmjs.com
yondon.blog
CVE-2020-13822
CWE-190
CAPEC-310
OWASP 2021-A6

Related Issues

RSA-PSS signature validation vulnerability by prepending zeros in jsrsasign - CVE-2020-14968
Elliptic Uses a Broken or Risky Cryptographic Algorithm - CVE-2020-28498
ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding in jsrsasign - CVE-2020-14966
Elliptic's EDDSA missing signature length check - CVE-2024-42459

Tags:: npm; elliptic

Anything's wrong? Let us know Last updated on October 16, 2024