CVE-2024-48948Improper Verification of Cryptographic Signature in Node-elliptic

CWE-347Improper Verification of Cryptographic SignatureCWE-222Truncation of Security-relevant Information8 documents6 sources
Severity
4.8MEDIUMNVD
EPSS
0.2%
top 62.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Debian Node-ellipticIndutny Elliptic
Timeline
PublishedOct 15
Latest updateNov 18

Description

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 2.2 | Impact: 2.5

Affected Packages3 packages

debiandebian/node-elliptic< node-elliptic 6.6.1+dfsg-1 (forky)
npmindutny/elliptic< 6.6.0
NVDindutny/elliptic6.5.7

🔴Vulnerability Details

3
OSV
CVE-2024-48948: The Elliptic package 62024-10-15
GHSA
Valid ECDSA signatures erroneously rejected in Elliptic2024-10-15
OSV
Valid ECDSA signatures erroneously rejected in Elliptic2024-10-15

📋Vendor Advisories

2
Red Hat
elliptic: ECDSA signature verification error may reject legitimate transactions2024-10-15
Debian
CVE-2024-48948: node-elliptic - The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does no...2024

🕵️Threat Intelligence

2
Trailofbits
We found cryptography bugs in the elliptic library using Wycheproof2025-11-18
Trailofbits
We found cryptography bugs in the elliptic library using Wycheproof2025-11-18
CVE-2024-48948 — Debian Node-elliptic vulnerability | cvebase