CVE-2024-48948: Valid ECDSA signatures erroneously rejected in Elliptic

October 15, 2024 (updated November 5, 2024)

The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve’s base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

References

github.com/advisories/GHSA-fc9h-whq2-v747
github.com/indutny/elliptic
github.com/indutny/elliptic/commit/34c853478cec1be4e37260ed2cb12cdbdc6402cf
github.com/indutny/elliptic/issues/321
github.com/indutny/elliptic/pull/322
nvd.nist.gov/vuln/detail/CVE-2024-48948

Detect and mitigate CVE-2024-48948 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →