Severity: high

Signature Malleability

elliptic

Overview

The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Remediation

Upgrade to version 6.5.3 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jul 29th, 2020
  2. reported

    Reported by Unknown
    Jul 29th, 2020