Severity: high

    Signature Malleability

    elliptic

    Overview

    The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

    Remediation

    Upgrade to version 6.5.3 or later.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Jul 29th, 2020
    2. reported

      Reported by Unknown
      Jul 29th, 2020