Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package elliptic, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2024-42461 — CVSS 9.1 (critical): In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.
CVE-2024-48949 — CVSS 9.1 (critical): The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n)…
CVE-2020-13822 — CVSS 7.7 (high): The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer…
CVE-2020-28498 — CVSS 6.8 (medium): The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is…
CVE-2025-14505 — CVSS 5.6 (medium): The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2…
CVE-2024-42460 — CVSS 5.3 (medium): In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit…
CVE-2024-42459 — CVSS 5.3 (medium): In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus…
CVE-2024-48948 — CVSS 4.8 (medium): The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at…