You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
mend-bolt-for-githubbot
changed the title
CVE-2024-48948 (Medium) detected in elliptic-6.5.4.tgz
CVE-2024-48948 (High) detected in elliptic-6.5.4.tgz
Oct 20, 2024
mend-bolt-for-githubbot
changed the title
CVE-2024-48948 (High) detected in elliptic-6.5.4.tgz
CVE-2024-48948 (Medium) detected in elliptic-6.5.4.tgz
Nov 7, 2024
CVE-2024-48948 - Medium Severity Vulnerability
Vulnerable Library - elliptic-6.5.4.tgz
EC cryptography
Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/elliptic/package.json
Dependency Hierarchy:
Found in HEAD commit: fb5f77da2e6a1abdc8035ddac751a729e7652710
Found in base branch: master
Vulnerability Details
The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
Publish Date: 2024-10-15
URL: CVE-2024-48948
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-fc9h-whq2-v747
Release Date: 2024-10-28
Fix Resolution: elliptic - 6.6.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: