ECDSA Signature Malleability in Elliptic Package 6.5.2 for Node.js
CVE-2020-13822

7.7HIGH

Key Information:

Vendor

Elliptic Project

Status
Elliptic
Vendor
CVE Published:
4 June 2020

What is CVE-2020-13822?

The Elliptic package version 6.5.2 for Node.js is susceptible to ECDSA signature malleability, which arises from various factors, including encoding variations and integer overflows. This vulnerability can lead to multiple valid signatures for the same message, potentially undermining the integrity of applications that rely on a single canonical signature. Developers using this package should be aware of the risks associated with malleable signatures and consider implementing safeguards to protect against such vulnerabilities.

References

https://www.npmjs.com/package/elliptic
x_refsource_MISC
https://github.com/indutny/elliptic/issues/226
x_refsource_MISC
https://yondon.blog/2019/01/01/how-not-to-use-ecdsa/
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.