CVE-2024-48948
- EPSS 0.12%
- Veröffentlicht 15.10.2024 14:15:05
- Zuletzt bearbeitet 25.11.2025 16:16:05
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, bec...
CVE-2024-48949
- EPSS 0.29%
- Veröffentlicht 10.10.2024 01:15:11
- Zuletzt bearbeitet 25.11.2025 16:16:05
The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.
CVE-2024-42459
- EPSS 0.13%
- Veröffentlicht 02.08.2024 07:16:10
- Zuletzt bearbeitet 03.11.2025 22:18:06
In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.
CVE-2024-42460
- EPSS 0.24%
- Veröffentlicht 02.08.2024 07:16:10
- Zuletzt bearbeitet 03.11.2025 22:18:06
In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.
CVE-2020-28498
- EPSS 3.94%
- Veröffentlicht 02.02.2021 19:15:13
- Zuletzt bearbeitet 21.11.2024 05:22:54
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 c...
CVE-2020-13822
- EPSS 0.19%
- Veröffentlicht 04.06.2020 15:15:13
- Zuletzt bearbeitet 21.11.2024 05:01:56
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical sig...