Astra Linux - уязвимость в node-elliptic

The verify function in lib/elliptic/eddsa/index.js within the Elliptic package, as of version 6.5.6 for Node.js, omits the validation of the condition “sig.S.gtesig.eddsa.curve.n || sig.S.isNeg”...

Use of a Cryptographic Primitive with a Risky Implementation

Overview org.webjars.npm:elliptic is a Fast elliptic-curve cryptography in a plain javascript implementation. Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to the incorrect computation of the byte-length of k value with leadin...

PT-2026-1743

Name of the Vulnerable Software and Affected Versions Elliptic versions prior to 6.6.2 Description The ECDSA implementation within the Elliptic package produces incorrect signatures when an interim value of k calculated according to step 3.2 of RFC 6979 contains leading zeros, making it susceptib...

CVE-2024-48930

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, loadCompressedPublicKey is missing that...

GHSA-VJH7-7G9H-FJFH Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)

Summary Private key can be extracted from ECDSA signature upon signing a malformed input e.g. a string or a number, which could e.g. come from JSON network input Note that elliptic by design accepts hex strings as one of the possible input types Details In this code:...

PT-2025-7253 · Elliptic · Elliptic

Name of the Vulnerable Software and Affected Versions: elliptic affected versions not specified Description: The issue allows for private key extraction from ECDSA signatures when signing a malformed input, such as a string or a number, which could come from JSON network input. This is possible...

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

...

Elliptic 安全漏洞

Elliptic is a fast elliptic curve cryptographic library in javascript by the individual developer Fedor Indutny. A security vulnerability exists in Elliptic version 6.5.7, which stems from an inability to properly verify valid signatures in its ECDSA implementation...

GHSA-434G-2637-QMQR Elliptic's verify function omits uniqueness validation

The Elliptic package 6.5.5 for Node.js for EDDSA implementation does not perform the required check if the signature proofs is within the bounds of the order n of the base point of the elliptic curve, leading to signature malleability. Namely, the verify function in lib/elliptic/eddsa/index.js...

UBUNTU-CVE-2024-48949

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S.gtesig.eddsa.curve.n || sig.S.isNeg" validation...

Elliptic 安全漏洞

Elliptic is a library of fast elliptic curve ciphers in javascript by the individual developer Fedor Indutny. A security vulnerability exists in Elliptic versions prior to 6.5.6, which stems from a validation function that omits some judgmental validation...

Elliptic 安全漏洞

Elliptic is a library of fast elliptic curve ciphers in javascript by the individual developer Fedor Indutny. A security vulnerability exists in Elliptic version 6.5.6, which stems from a lack of signature length checking, and therefore an EDDSA signature extensibility issue...

Elliptic 安全漏洞

Elliptic is a library of fast elliptic curve ciphers in javascript by the individual developer Fedor Indutny. A security vulnerability exists in Elliptic version 6.5.6, which stems from allowing the use of BER-encoded signatures, and therefore ECDSA signature malleability...

Elliptic 安全漏洞

Elliptic is a library of fast elliptic curve ciphers in javascript by the individual developer Fedor Indutny. A security vulnerability exists in Elliptic version 6.5.6, which stems from a lack of checking whether the leading bits of r and s are zero, and thus an ECDSA signature extensibility issu...

golang: crypto/elliptic: panic caused by oversized scalar

An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256.ScalarMult or P256.ScalarBaseMult to panic, leading to a loss of availability...

golang: crypto/elliptic: panic caused by oversized scalar

An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256.ScalarMult or P256.ScalarBaseMult to panic, leading to a loss of availability...

UBUNTU-CVE-2020-28498

The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the...

PT-2021-11554 · Elliptic · Elliptic

Name of the Vulnerable Software and Affected Versions: elliptic versions prior to 6.5.4 Description: The issue is related to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually...

AZL-79110 CVE-2021-3114 affecting package golang 1.25.7-1

In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field...

Cryptographic Issues

Overview elliptic is a fast elliptic-curve cryptography implementation in plain javascript. Affected versions of this package are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the deriv...