Javascript Insecure Ec Curve Secp192k1
Description
Detects usage of insecure elliptic curve SECP192K1 in cryptographic operations. This curve is considered cryptographically weak and provides insufficient security strength for modern applications. Using this curve could make the cryptographic system vulnerable to attacks.
Detection Strategy
• Identifies declarations or uses of EC keypairs with the SECP192K1 curve in JavaScript code
• Detects when crypto.createECDH() or similar EC functions are called with 'secp192k1' as parameter
• Flags cryptographic operations that explicitly specify or use the SECP192K1 curve
Vulnerable code example
const crypto = require('crypto');
// Vulnerable: Using weak elliptic curve secp192k1 (< 224 bits)
crypto.generateKeyPair('ec', {
namedCurve: 'secp192k1',
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}, (err, publicKey, privateKey) => {...✅ Secure code example
const crypto = require('crypto');
// Secure: Using strong elliptic curve secp256r1 (256 bits)
crypto.generateKeyPair('ec', {
namedCurve: 'prime256v1', // Using NIST P-256 curve (secp256r1) which meets security standards
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}, (err, publicKey, privateKey) => {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.