CVE-2024-48948: Valid ECDSA signatures erroneously rejected in Elliptic
(updated )
The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve’s base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
References
- github.com/advisories/GHSA-fc9h-whq2-v747
- github.com/indutny/elliptic
- github.com/indutny/elliptic/commit/34c853478cec1be4e37260ed2cb12cdbdc6402cf
- github.com/indutny/elliptic/issues/321
- github.com/indutny/elliptic/pull/322
- nvd.nist.gov/vuln/detail/CVE-2024-48948
- security.netapp.com/advisory/ntap-20241220-0004
Detect and mitigate CVE-2024-48948 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →