CVE-2024-48948

MEDIUM4.8

The Elliptic package 6

Published Oct 15, 2024

Modified 1 months ago

No fix available

Details

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

References

WEBhttps://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/WEBhttps://github.com/indutny/elliptic/issues/321 WEBhttps://github.com/indutny/elliptic/pull/322 WEBhttps://security.netapp.com/advisory/ntap-20241220-0004/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2024-48948

CVSS Analysis

CVSS v3.1

4.8

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

LowI:L

Availability

LowA:L

4.8/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Ecosystems

Timeline

PublishedOct 15, 2024

ModifiedNov 25, 2025