View all vulnerabilities

CVE-2024-42460

Elliptic's ECDSA missing check for whether leading bit of r and s is zero

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
5.3
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Versions
elliptic >= 2.0.0 < 6.5.7
Severity
Medium
Ecosystem
JavaScript
Publish Date
August 2, 2024
Modified Date
August 15, 2024