4.8

CVE-2024-48948

Exploit

EPSS 0.12%
Veröffentlicht 15.10.2024 14:15:05
Zuletzt bearbeitet 25.11.2025 16:16:05
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Indutny ≫ Elliptic Version6.5.7 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.308

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/indutny/elliptic/issues/321

Exploit

Issue Tracking

https://github.com/indutny/elliptic/pull/322

Exploit

Issue Tracking

https://security.netapp.com/advisory/ntap-20241220-0004/

Third Party Advisory

https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/

https://nvd.nist.gov/vuln/detail/CVE-2024-48948

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-48948

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-48948

EUVD