CVE-2024-48949 – elliptic

Package

Manager: npm
Name: elliptic
Vulnerable Version: >=0 <6.5.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

EPSS: 0.0013 pctl0.33255

Details

Elliptic's verify function omits uniqueness validation The Elliptic package 6.5.5 for Node.js for EDDSA implementation does not perform the required check if the signature proof(s) is within the bounds of the order n of the base point of the elliptic curve, leading to signature malleability. Namely, the `verify` function in `lib/elliptic/eddsa/index.js` omits `sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()` validation. This vulnerability could have a security-relevant impact if an application relies on the uniqueness of a signature.

Metadata

Created: 2024-10-10T03:30:44Z
Modified: 2025-03-25T20:10:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-434g-2637-qmqr/GHSA-434g-2637-qmqr.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-434g-2637-qmqr
Finding: F163
Auto approve: 1