Improper Validation of Integrity Check Value Affecting secp256k1 package, versions <3.8.1>=4.0.0 <4.0.4>=5.0.0 <5.0.1


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-SECP256K1-8237220
  • published22 Oct 2024
  • disclosed21 Oct 2024
  • creditNikita Skovoroda

Introduced: 21 Oct 2024

CVE-2024-48930  (opens in a new tab)
CWE-354  (opens in a new tab)

How to fix?

Upgrade secp256k1 to version 3.8.1, 4.0.4, 5.0.1 or higher.

Overview

secp256k1 is a This module provides native bindings to ecdsa secp256k1 functions

Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value due to a missing that check in loadCompressedPublicKey. An attacker can extract enough information to fully restore the private key from as little as 11 ECDH sessions.

Note: Other operations on public keys likepublicKeyVerify() incorrectly returning true and publicKeyTweakMul() returning predictable outcomes allowing to restore the tweak are also affected.

CVSS Scores

version 4.0
version 3.1