Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/elliptic@6.6.1
Typenpm
Namespace
Nameelliptic
Version6.6.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-ew32-3yaw-hfgg
vulnerability_id VCID-ew32-3yaw-hfgg
summary 
Elliptic Uses a Cryptographic Primitive with a Risky Implementation
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of  RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.

This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14505.json
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14505.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-14505
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01144
published_at 2026-06-06T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02396
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-14505
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14505
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14505
3
reference_url https://github.com/indutny/elliptic
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic
4
reference_url https://github.com/indutny/elliptic/issues/321
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T21:22:47Z/
url https://github.com/indutny/elliptic/issues/321
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125180
reference_id 1125180
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125180
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2428154
reference_id 2428154
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2428154
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-14505
reference_id CVE-2025-14505
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-14505
8
reference_url https://www.herodevs.com/vulnerability-directory/cve-2025-14505
reference_id CVE-2025-14505
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T21:22:47Z/
url https://www.herodevs.com/vulnerability-directory/cve-2025-14505
9
reference_url https://github.com/advisories/GHSA-848j-6mx2-7j84
reference_id GHSA-848j-6mx2-7j84
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-848j-6mx2-7j84
fixed_packages
aliases CVE-2025-14505, GHSA-848j-6mx2-7j84
risk_score 2.5
exploitability 0.5
weighted_severity 5.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ew32-3yaw-hfgg
Fixing_vulnerabilities
0
url VCID-naf1-wstu-budj
vulnerability_id VCID-naf1-wstu-budj
summary 
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input

Note that `elliptic` by design accepts hex strings as one of the possible input types
references
0
reference_url https://github.com/indutny/elliptic
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic
1
reference_url https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e
2
reference_url https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
reference_id GHSA-vjh7-7g9h-fjfh
reference_type
scores
url https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
3
reference_url https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh
reference_id GHSA-vjh7-7g9h-fjfh
reference_type
scores
0
value 9.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh
fixed_packages
0
url pkg:npm/elliptic@6.6.1
purl pkg:npm/elliptic@6.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ew32-3yaw-hfgg
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/elliptic@6.6.1
aliases GHSA-vjh7-7g9h-fjfh
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-naf1-wstu-budj
Risk_score2.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/elliptic@6.6.1