Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/elliptic@0.15.9
Typenpm
Namespace
Nameelliptic
Version0.15.9
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-3rn2-srxp-p7bn
vulnerability_id VCID-3rn2-srxp-p7bn
summary 
Elliptic's verify function omits uniqueness validation
The Elliptic package 6.5.5 for Node.js for EDDSA implementation does not perform the required check if the signature proof(s) is within the bounds of the order n of the base point of the elliptic curve, leading to signature malleability. Namely, the `verify` function in `lib/elliptic/eddsa/index.js` omits `sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()` validation.

This vulnerability could have a security-relevant impact if an application relies on the uniqueness of a signature.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48949.json
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48949.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-48949
reference_id
reference_type
scores
0
value 0.00292
scoring_system epss
scoring_elements 0.52914
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-48949
2
reference_url https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48949
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48949
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/indutny/elliptic
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic
6
reference_url https://github.com/indutny/elliptic/commit/7ac5360118f74eb02da73bdf9f24fd0c72ff5281
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-10T20:20:12Z/
url https://github.com/indutny/elliptic/commit/7ac5360118f74eb02da73bdf9f24fd0c72ff5281
7
reference_url https://github.com/indutny/elliptic/compare/v6.5.5...v6.5.6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
2
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-10T20:20:12Z/
url https://github.com/indutny/elliptic/compare/v6.5.5...v6.5.6
8
reference_url https://security.netapp.com/advisory/ntap-20241227-0003
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20241227-0003
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2317724
reference_id 2317724
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2317724
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-48949
reference_id CVE-2024-48949
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-48949
11
reference_url https://github.com/advisories/GHSA-434g-2637-qmqr
reference_id GHSA-434g-2637-qmqr
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-434g-2637-qmqr
12
reference_url https://access.redhat.com/errata/RHSA-2024:10236
reference_id RHSA-2024:10236
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10236
13
reference_url https://access.redhat.com/errata/RHSA-2024:6738
reference_id RHSA-2024:6738
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6738
14
reference_url https://access.redhat.com/errata/RHSA-2024:6779
reference_id RHSA-2024:6779
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6779
15
reference_url https://access.redhat.com/errata/RHSA-2024:7994
reference_id RHSA-2024:7994
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7994
16
reference_url https://access.redhat.com/errata/RHSA-2024:8351
reference_id RHSA-2024:8351
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8351
17
reference_url https://access.redhat.com/errata/RHSA-2024:8507
reference_id RHSA-2024:8507
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8507
18
reference_url https://access.redhat.com/errata/RHSA-2024:8533
reference_id RHSA-2024:8533
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8533
19
reference_url https://access.redhat.com/errata/RHSA-2024:8546
reference_id RHSA-2024:8546
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8546
20
reference_url https://access.redhat.com/errata/RHSA-2024:8974
reference_id RHSA-2024:8974
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8974
21
reference_url https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/
reference_id we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-10T20:20:12Z/
url https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/
fixed_packages
0
url pkg:npm/elliptic@6.5.6
purl pkg:npm/elliptic@6.5.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2sfb-9txp-c7av
1
vulnerability VCID-ew32-3yaw-hfgg
2
vulnerability VCID-k6en-3w8h-sygy
3
vulnerability VCID-naf1-wstu-budj
4
vulnerability VCID-p89g-d93c-ekfn
5
vulnerability VCID-t9fh-dydj-9bge
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/elliptic@6.5.6
aliases CVE-2024-48949, GHSA-434g-2637-qmqr
risk_score 3.7
exploitability 0.5
weighted_severity 7.4
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3rn2-srxp-p7bn
1
url VCID-bm4w-zre2-93fw
vulnerability_id VCID-bm4w-zre2-93fw
summary 
Signature Malleabillity in elliptic
The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-13822.json
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-13822.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-13822
reference_id
reference_type
scores
0
value 0.00411
scoring_system epss
scoring_elements 0.61758
published_at 2026-06-05T12:55:00Z
1
value 0.00411
scoring_system epss
scoring_elements 0.61709
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-13822
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13822
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13822
3
reference_url https://github.com/indutny/elliptic
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic
4
reference_url https://github.com/indutny/elliptic/commit/856fe4d99fe7b6200556e6400b3bf585b1721bec
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic/commit/856fe4d99fe7b6200556e6400b3bf585b1721bec
5
reference_url https://github.com/indutny/elliptic/issues/226
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic/issues/226
6
reference_url https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4
7
reference_url https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4
8
reference_url https://www.npmjs.com/package/elliptic
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/elliptic
9
reference_url https://yondon.blog/2019/01/01/how-not-to-use-ecdsa
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://yondon.blog/2019/01/01/how-not-to-use-ecdsa
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1848647
reference_id 1848647
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1848647
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963149
reference_id 963149
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963149
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-13822
reference_id CVE-2020-13822
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-13822
13
reference_url https://github.com/advisories/GHSA-vh7m-p724-62c2
reference_id GHSA-vh7m-p724-62c2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vh7m-p724-62c2
14
reference_url https://access.redhat.com/errata/RHSA-2020:4298
reference_id RHSA-2020:4298
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4298
15
reference_url https://access.redhat.com/errata/RHSA-2020:5533
reference_id RHSA-2020:5533
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:5533
fixed_packages
0
url pkg:npm/elliptic@6.5.3
purl pkg:npm/elliptic@6.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2sfb-9txp-c7av
1
vulnerability VCID-3rn2-srxp-p7bn
2
vulnerability VCID-ew32-3yaw-hfgg
3
vulnerability VCID-gzma-2y74-9ucn
4
vulnerability VCID-k6en-3w8h-sygy
5
vulnerability VCID-naf1-wstu-budj
6
vulnerability VCID-p89g-d93c-ekfn
7
vulnerability VCID-t9fh-dydj-9bge
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/elliptic@6.5.3
aliases CVE-2020-13822, GHSA-vh7m-p724-62c2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bm4w-zre2-93fw
2
url VCID-ew32-3yaw-hfgg
vulnerability_id VCID-ew32-3yaw-hfgg
summary 
Elliptic Uses a Cryptographic Primitive with a Risky Implementation
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of  RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.

This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14505.json
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14505.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-14505
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02396
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-14505
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14505
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14505
3
reference_url https://github.com/indutny/elliptic
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic
4
reference_url https://github.com/indutny/elliptic/issues/321
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T21:22:47Z/
url https://github.com/indutny/elliptic/issues/321
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125180
reference_id 1125180
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125180
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2428154
reference_id 2428154
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2428154
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-14505
reference_id CVE-2025-14505
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-14505
8
reference_url https://www.herodevs.com/vulnerability-directory/cve-2025-14505
reference_id CVE-2025-14505
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T21:22:47Z/
url https://www.herodevs.com/vulnerability-directory/cve-2025-14505
9
reference_url https://github.com/advisories/GHSA-848j-6mx2-7j84
reference_id GHSA-848j-6mx2-7j84
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-848j-6mx2-7j84
fixed_packages
aliases CVE-2025-14505, GHSA-848j-6mx2-7j84
risk_score 2.5
exploitability 0.5
weighted_severity 5.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ew32-3yaw-hfgg
3
url VCID-gzma-2y74-9ucn
vulnerability_id VCID-gzma-2y74-9ucn
summary 
Use of a Broken or Risky Cryptographic Algorithm
The package elliptic is vulnerable to Cryptographic Issues via the secp256k1 implementation in `elliptic/ec/key.js`. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-28498
reference_id
reference_type
scores
0
value 0.03935
scoring_system epss
scoring_elements 0.88558
published_at 2026-06-05T12:55:00Z
1
value 0.03935
scoring_system epss
scoring_elements 0.8854
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-28498
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28498
2
reference_url https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
3
reference_url https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
4
reference_url https://github.com/indutny/elliptic/pull/244/commits
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic/pull/244/commits
5
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836
6
reference_url https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899
7
reference_url https://www.npmjs.com/package/elliptic
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/elliptic
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-28498
reference_id CVE-2020-28498
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-28498
fixed_packages
0
url pkg:npm/elliptic@6.5.4
purl pkg:npm/elliptic@6.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2sfb-9txp-c7av
1
vulnerability VCID-3rn2-srxp-p7bn
2
vulnerability VCID-ew32-3yaw-hfgg
3
vulnerability VCID-k6en-3w8h-sygy
4
vulnerability VCID-naf1-wstu-budj
5
vulnerability VCID-p89g-d93c-ekfn
6
vulnerability VCID-t9fh-dydj-9bge
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/elliptic@6.5.4
aliases CVE-2020-28498, GHSA-r9p9-mrjm-926w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gzma-2y74-9ucn
4
url VCID-naf1-wstu-budj
vulnerability_id VCID-naf1-wstu-budj
summary 
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input

Note that `elliptic` by design accepts hex strings as one of the possible input types
references
0
reference_url https://github.com/indutny/elliptic
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic
1
reference_url https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e
2
reference_url https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
reference_id GHSA-vjh7-7g9h-fjfh
reference_type
scores
url https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
3
reference_url https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh
reference_id GHSA-vjh7-7g9h-fjfh
reference_type
scores
0
value 9.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh
fixed_packages
0
url pkg:npm/elliptic@6.6.1
purl pkg:npm/elliptic@6.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ew32-3yaw-hfgg
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/elliptic@6.6.1
aliases GHSA-vjh7-7g9h-fjfh
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-naf1-wstu-budj
5
url VCID-p89g-d93c-ekfn
vulnerability_id VCID-p89g-d93c-ekfn
summary 
Valid ECDSA signatures erroneously rejected in Elliptic
The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48948.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-48948.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-48948
reference_id
reference_type
scores
0
value 0.00162
scoring_system epss
scoring_elements 0.36913
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-48948
2
reference_url https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48948
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48948
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/indutny/elliptic
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic
6
reference_url https://github.com/indutny/elliptic/commit/34c853478cec1be4e37260ed2cb12cdbdc6402cf
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic/commit/34c853478cec1be4e37260ed2cb12cdbdc6402cf
7
reference_url https://github.com/indutny/elliptic/issues/321
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T13:57:37Z/
url https://github.com/indutny/elliptic/issues/321
8
reference_url https://github.com/indutny/elliptic/pull/322
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T13:57:37Z/
url https://github.com/indutny/elliptic/pull/322
9
reference_url https://security.netapp.com/advisory/ntap-20241220-0004
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20241220-0004
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085298
reference_id 1085298
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085298
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2318778
reference_id 2318778
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2318778
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-48948
reference_id CVE-2024-48948
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-48948
13
reference_url https://github.com/advisories/GHSA-fc9h-whq2-v747
reference_id GHSA-fc9h-whq2-v747
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fc9h-whq2-v747
14
reference_url https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/
reference_id we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T13:57:37Z/
url https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/
fixed_packages
0
url pkg:npm/elliptic@6.6.0
purl pkg:npm/elliptic@6.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ew32-3yaw-hfgg
1
vulnerability VCID-naf1-wstu-budj
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/elliptic@6.6.0
aliases CVE-2024-48948, GHSA-fc9h-whq2-v747
risk_score 2.1
exploitability 0.5
weighted_severity 4.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p89g-d93c-ekfn
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/elliptic@0.15.9