Homepage
About Snyk

Information Exposure Affecting ecdh package, versions <0.2.0

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.21% (59th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ECDH-3331939
  • published 26 Feb 2023
  • disclosed 26 Feb 2023
  • credit shilohshi
Report a new vulnerability Found a mistake?

Introduced: 26 Feb 2023

CVE-2022-44310 Open this link in a new tab
CWE-200 Open this link in a new tab

How to fix?

Upgrade ecdh to version 0.2.0 or higher.

Overview

ecdh is a native Node.js module for ECDH and ECDSA

Affected versions of this package are vulnerable to Information Exposure in the deriveSharedSecret() function in index.js, which allows an attacker to send an invalid point as the public key (a point not on the curve), and retrieve the derived shared secret.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

7.5 high