Skip to main content

Elliptic

6 CVEs product

Monthly

CVE-2024-48948 npm MEDIUM POC PATCH This Month

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Jwt Attack Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2024-48949 npm CRITICAL PATCH Act Now

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Jwt Attack Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2024-42461 npm CRITICAL PATCH Act Now

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Jwt Attack Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2024-42460 npm MEDIUM POC PATCH This Month

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-42459 npm MEDIUM POC PATCH This Month

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Jwt Attack Information Disclosure Elliptic
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2020-13822 npm HIGH POC PATCH This Week

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Canonical Buffer Overflow Integer Overflow Elliptic
NVD GitHub
CVSS 3.1
7.7
EPSS
2.6%
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Elliptic
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 3% CVSS 7.7
HIGH POC PATCH This Week

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Node.js Canonical Buffer Overflow +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy