CVE-2024-48948 – elliptic

Package

Manager: npm
Name: elliptic
Vulnerable Version: >=0 <6.6.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00073 pctl0.22692

Details

Valid ECDSA signatures erroneously rejected in Elliptic The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Metadata

Created: 2024-10-15T15:30:56Z
Modified: 2024-12-20T15:30:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-fc9h-whq2-v747/GHSA-fc9h-whq2-v747.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-fc9h-whq2-v747
Finding: F163
Auto approve: 1