GHSA-vjh7-7g9h-fjfh: Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)

February 12, 2025 (updated October 31, 2025)

Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input

Note that elliptic by design accepts hex strings as one of the possible input types

References

github.com/advisories/GHSA-vjh7-7g9h-fjfh
github.com/indutny/elliptic
github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e
github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh

Code Behaviors & Features

Detect and mitigate GHSA-vjh7-7g9h-fjfh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →