elliptic@6.5.4 vulnerabilities

EC cryptography

Direct Vulnerabilities

Known vulnerabilities in the elliptic package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • C
Information Exposure

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Information Exposure due to the sign function which allows an attacker to extract the private key from an ECDSA signature by signing a malformed input. A single maliciously crafted signed message can enable full key extraction for any previously known message-signature pair.

How to fix Information Exposure?

Upgrade elliptic to version 6.6.1 or higher.

<6.6.1
  • C
Improper Verification of Cryptographic Signature

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to an anomaly in the _truncateToN function. An attacker can cause legitimate transactions or communications to be incorrectly flagged as invalid by exploiting the signature verification process when the hash contains at least four leading 0 bytes, and the order of the elliptic curve's base point is smaller than the hash.

In some situations, a private key exposure is possible. This can happen when an attacker knows a faulty and the corresponding correct signature for the same message.

Note: Although the vector for exploitation of this vulnerability was restricted with the release of versions 6.6.0 and 6.6.1, it remains possible to generate invalid signatures in some cases in those releases as well.

How to fix Improper Verification of Cryptographic Signature?

There is no fixed version for elliptic.

*
  • H
Improper Verification of Cryptographic Signature

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to improper range validation of the S value in the verify function, allowing the usage of an invalid signature.

Note:

This vulnerability could have a security-relevant impact if an application relies on the uniqueness of a signature.

How to fix Improper Verification of Cryptographic Signature?

Upgrade elliptic to version 6.5.6 or higher.

<6.5.6
  • C
Improper Verification of Cryptographic Signature

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to a missing signature length check in the EDDSA signature process. An attacker can manipulate the signature by appending or removing zero-valued bytes.

How to fix Improper Verification of Cryptographic Signature?

Upgrade elliptic to version 6.5.7 or higher.

<6.5.7
  • C
Improper Verification of Cryptographic Signature

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the allowance of BER-encoded signatures. An attacker can manipulate the ECDSA signatures by exploiting the signature malleability.

How to fix Improper Verification of Cryptographic Signature?

Upgrade elliptic to version 6.5.7 or higher.

<6.5.7
  • C
Improper Verification of Cryptographic Signature

elliptic is a fast elliptic-curve cryptography implementation in plain javascript.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to a missing check for whether the leading bit of r and s is zero. An attacker can manipulate the ECDSA signature by exploiting this oversight.

How to fix Improper Verification of Cryptographic Signature?

Upgrade elliptic to version 6.5.7 or higher.

<6.5.7