Typescript Insecure Ecdh Curve
Description
Detects the use of insecure or weak elliptic curves in ECDH (Elliptic Curve Diffie-Hellman) key exchange implementations. Using weak or deprecated curves can make the cryptographic exchange vulnerable to attacks that could compromise the security of the established shared secret.
Detection Strategy
• Look for cryptographic function calls or configurations that specify ECDH curve parameters
• Check if the specified curve matches known weak or insecure curves (like secp192r1, secp160k1, or other deprecated curves)
• Flag implementations that use custom curve parameters or curves with insufficient bit length
• Examine ECDH key generation and exchange functions for explicit curve specifications
Vulnerable code example
const crypto = require('crypto');
function generateKey() {
// Vulnerable: Using weak/deprecated elliptic curve c2pnb163v2
const ecdh = crypto.createECDH('c2pnb163v2');
return ecdh.generateKeys('hex');
}✅ Secure code example
const crypto = require('crypto');
function generateKey() {
// Safe: Using NIST P-256 curve (prime256v1) - standard secure curve
const ecdh = crypto.createECDH('prime256v1');
return ecdh.generateKeys('hex');
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.