Omitting validation in verify function in lib/elliptic/eddsa/index.js
CVE-2024-48949

9.1CRITICAL

Key Information:

Vendor: Elliptic
Status: Elliptic
Vendor: CVE Published:; 10 October 2024

Summary

A vulnerability exists in the verify function of the Elliptic package utilized within Node.js prior to version 6.5.6. This issue arises due to a lack of essential validation checks for digital signatures, specifically concerning the conditions "sig.S().gte(sig.eddsa.curve.n)" and "sig.S().isNeg()". As a result, the absence of these validations could potentially allow for improper verification of digital signatures, posing security risks to applications relying on this cryptographic library.

References

https://github.com/indutny/elliptic/commit/7ac5360118f74e...

https://github.com/indutny/elliptic/compare/v6.5.5...v6.5.6

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2024