GHSA-vjh7-7g9h-fjfh: Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input
Note that elliptic
by design accepts hex strings as one of the possible input types
References
Detect and mitigate GHSA-vjh7-7g9h-fjfh with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →