You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
mend-for-github-combot
changed the title
CVE-2024-48948 (Medium) detected in elliptic-6.5.2.tgz
CVE-2024-48948 (High) detected in elliptic-6.5.2.tgz
Oct 20, 2024
mend-for-github-combot
changed the title
CVE-2024-48948 (High) detected in elliptic-6.5.2.tgz
CVE-2024-48948 (Medium) detected in elliptic-6.5.2.tgz
Nov 7, 2024
CVE-2024-48948 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.2.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz
Path to dependency file: /node_modules/elliptic/package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c22b39b4f64e2bf88c2b59e4e09bc0b140c91e6
Found in base branch: develop
Vulnerability Details
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
Publish Date: 2024-10-15
URL: CVE-2024-48948
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-fc9h-whq2-v747
Release Date: 2024-10-28
Fix Resolution: elliptic - 6.6.0
The text was updated successfully, but these errors were encountered: