Description
The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve’s base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected.
Recommendation
Update the elliptic package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.6.0
- Patched version(s): 6.6.0
References
Related Issues
- Elliptic Uses a Broken or Risky Cryptographic Algorithm - CVE-2020-28498
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- Froala WYSIWYG editor allows cross-site scripting (XSS) - CVE-2024-51434
- Vue I18n Allows Prototype Pollution in `handleFlatJson` - CVE-2025-27597
- Tags:
- npm
- elliptic
Anything's wrong? Let us know Last updated on June 27, 2025