Javascript Insecure Ecdh Curve
Description
Detects the usage of cryptographically weak or deprecated elliptic curves in ECDH (Elliptic Curve Diffie-Hellman) key exchange operations in JavaScript code. Using weak curves can compromise the security of the key exchange protocol, potentially allowing attackers to break the encryption.
Detection Strategy
• Check for ECDH key generation or key exchange operations in JavaScript code
• Look for curve specifications or parameters being passed to ECDH operations
• Flag usage of known insecure or deprecated curves like secp192r1, secp224r1, or other NIST curves below P-256
• Report a vulnerability when ECDH operations use curves that don't meet minimum security requirements of 128-bit security level
Vulnerable code example
const crypto = require('crypto');
// Vulnerable: Using weak/deprecated EC curve 'c2pnb163v2'
const ecdh = crypto.createECDH('c2pnb163v2');
const publicKey = ecdh.generateKeys();
console.log(publicKey.toString('hex'));✅ Secure code example
const crypto = require('crypto');
// Safe: Using strong standardized curve 'prime256v1' (secp256r1)
const ecdh = crypto.createECDH('prime256v1');
const publicKey = ecdh.generateKeys();
console.log(publicKey.toString('hex'));Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.