elliptic@0.4.0 vulnerabilities

EC cryptography

  • latest version

    6.6.1

  • latest non vulnerable version

  • first published

    10 years ago

  • latest version published

    2 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the elliptic package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Improper Verification of Cryptographic Signature

    elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to an anomaly in the _truncateToN function. An attacker can cause legitimate transactions or communications to be incorrectly flagged as invalid by exploiting the signature verification process when the hash contains at least four leading 0 bytes and the order of the elliptic curve's base point is smaller than the hash.

    How to fix Improper Verification of Cryptographic Signature?

    Upgrade elliptic to version 6.6.0 or higher.

    <6.6.0
    • H
    Improper Verification of Cryptographic Signature

    elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to improper range validation of the S value in the verify function, allowing the usage of an invalid signature.

    Note:

    This vulnerability could have a security-relevant impact if an application relies on the uniqueness of a signature.

    How to fix Improper Verification of Cryptographic Signature?

    Upgrade elliptic to version 6.5.6 or higher.

    <6.5.6
    • C
    Improper Verification of Cryptographic Signature

    elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to a missing signature length check in the EDDSA signature process. An attacker can manipulate the signature by appending or removing zero-valued bytes.

    How to fix Improper Verification of Cryptographic Signature?

    Upgrade elliptic to version 6.5.7 or higher.

    <6.5.7
    • C
    Improper Verification of Cryptographic Signature

    elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the allowance of BER-encoded signatures. An attacker can manipulate the ECDSA signatures by exploiting the signature malleability.

    How to fix Improper Verification of Cryptographic Signature?

    Upgrade elliptic to version 6.5.7 or higher.

    <6.5.7
    • C
    Improper Verification of Cryptographic Signature

    elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to a missing check for whether the leading bit of r and s is zero. An attacker can manipulate the ECDSA signature by exploiting this oversight.

    How to fix Improper Verification of Cryptographic Signature?

    Upgrade elliptic to version 6.5.7 or higher.

    <6.5.7
    • M
    Cryptographic Issues

    elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

    Affected versions of this package are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.

    How to fix Cryptographic Issues?

    Upgrade elliptic to version 6.5.4 or higher.

    <6.5.4
    • H
    Cryptographic Issues

    elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

    Affected versions of this package are vulnerable to Cryptographic Issues. Elliptic allows ECDSA signature malleability via variations in encoding, leading \0 bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

    PoC

    var crypto = require('crypto')
    var EC = require('elliptic').ec;
    var ec = new EC('secp256k1');
    
    var obj = require("./poc_ecdsa_secp256k1_sha256_test.json");
    
    for (let testGroup of obj.testGroups) {
    
        var key = ec.keyFromPublic(testGroup.key.uncompressed, 'hex');
        
        for(let test of testGroup.tests) {
         console.log("[*] Test " + test.tcId + " result: " + test.result)
    
         msgHash = crypto.createHash('sha256').update(Buffer.from(test.msg, 'hex')).digest();
         
         try {
          result = key.verify(msgHash, Buffer.from(test.sig, 'hex'));
    
         if (result == true) {
          if (test.result == "valid" || test.result == "acceptable")
           console.log("Result: PASS");
          else
           console.log("Result: FAIL")     
         }
    
         if (result == false) {
          if (test.result == "valid" || test.result == "acceptable")
           console.log("Result: FAIL");
          else
           console.log("Result: PASS")     
         }
    
    
    
         } catch (e) {
          console.log("ERROR - VERIFY: " + e)
    
          if (test.result == "valid" || test.result == "acceptable")
           console.log("Result: FAIL");
          else
           console.log("Result: PASS")     
    
    
    
         }
    
    
        }
    
    }
    

    How to fix Cryptographic Issues?

    Upgrade elliptic to version 6.5.3 or higher.

    <6.5.3
    • M
    Timing Attack

    elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

    Affected versions of this package are vulnerable to Timing Attack. Practical recovery of the long-term private key generated by the library is possible under certain conditions. Leakage of bit-length of a scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.

    How to fix Timing Attack?

    Upgrade elliptic to version 6.5.2 or higher.

    <6.5.2