Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/ecdsa@0.7
Typepypi
Namespace
Nameecdsa
Version0.7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.19.2
Latest_non_vulnerable_version0.19.2
Affected_by_vulnerabilities
0
url VCID-9pe3-67b4-yqae
vulnerability_id VCID-9pe3-67b4-yqae
summary A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14859.json
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14859.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-14859
reference_id
reference_type
scores
0
value 0.00065
scoring_system epss
scoring_elements 0.20133
published_at 2026-04-29T12:55:00Z
1
value 0.00065
scoring_system epss
scoring_elements 0.20166
published_at 2026-04-26T12:55:00Z
2
value 0.00065
scoring_system epss
scoring_elements 0.20172
published_at 2026-04-24T12:55:00Z
3
value 0.00065
scoring_system epss
scoring_elements 0.20293
published_at 2026-04-21T12:55:00Z
4
value 0.00065
scoring_system epss
scoring_elements 0.20296
published_at 2026-04-18T12:55:00Z
5
value 0.00065
scoring_system epss
scoring_elements 0.20291
published_at 2026-04-16T12:55:00Z
6
value 0.00065
scoring_system epss
scoring_elements 0.20303
published_at 2026-04-13T12:55:00Z
7
value 0.00065
scoring_system epss
scoring_elements 0.20361
published_at 2026-04-12T12:55:00Z
8
value 0.00065
scoring_system epss
scoring_elements 0.20309
published_at 2026-04-01T12:55:00Z
9
value 0.00065
scoring_system epss
scoring_elements 0.20453
published_at 2026-04-02T12:55:00Z
10
value 0.00065
scoring_system epss
scoring_elements 0.20512
published_at 2026-04-04T12:55:00Z
11
value 0.00065
scoring_system epss
scoring_elements 0.20238
published_at 2026-04-07T12:55:00Z
12
value 0.00065
scoring_system epss
scoring_elements 0.20318
published_at 2026-04-08T12:55:00Z
13
value 0.00065
scoring_system epss
scoring_elements 0.20377
published_at 2026-04-09T12:55:00Z
14
value 0.00065
scoring_system epss
scoring_elements 0.20406
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-14859
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14853
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14853
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14859
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14859
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/advisories/GHSA-8qxj-f9rh-9fg2
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-8qxj-f9rh-9fg2
7
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2020-163.yaml
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2020-163.yaml
8
reference_url https://github.com/tlsfuzzer/python-ecdsa/commit/3427fa29f319b27898a28601955807abb44c0830
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/tlsfuzzer/python-ecdsa/commit/3427fa29f319b27898a28601955807abb44c0830
9
reference_url https://github.com/tlsfuzzer/python-ecdsa/commit/9080d1d5ac533da0de00466aaffb49bee808bb4e
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/tlsfuzzer/python-ecdsa/commit/9080d1d5ac533da0de00466aaffb49bee808bb4e
10
reference_url https://github.com/tlsfuzzer/python-ecdsa/commit/b0ea52bb3aa9a16c9a4a91fdc0041edbfed10b31
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/tlsfuzzer/python-ecdsa/commit/b0ea52bb3aa9a16c9a4a91fdc0041edbfed10b31
11
reference_url https://github.com/warner/python-ecdsa
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/warner/python-ecdsa
12
reference_url https://github.com/warner/python-ecdsa/issues/114
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/warner/python-ecdsa/issues/114
13
reference_url https://github.com/warner/python-ecdsa/pull/115
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/warner/python-ecdsa/pull/115
14
reference_url https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-14859
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-14859
16
reference_url https://pypi.org/project/ecdsa/0.13.3
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://pypi.org/project/ecdsa/0.13.3
17
reference_url https://pypi.org/project/ecdsa/0.13.3/
reference_id
reference_type
scores
url https://pypi.org/project/ecdsa/0.13.3/
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1760843
reference_id 1760843
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1760843
19
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
20
reference_url https://usn.ubuntu.com/4196-1/
reference_id USN-4196-1
reference_type
scores
url https://usn.ubuntu.com/4196-1/
fixed_packages
0
url pkg:pypi/ecdsa@0.13.3
purl pkg:pypi/ecdsa@0.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ebg3-6ssf-dkcy
1
vulnerability VCID-kbjk-tnfz-rfdw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ecdsa@0.13.3
aliases CVE-2019-14859, GHSA-8qxj-f9rh-9fg2, PYSEC-2020-163
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9pe3-67b4-yqae
1
url VCID-acg5-4qjn-sudc
vulnerability_id VCID-acg5-4qjn-sudc
summary A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
references
0
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
reference_id
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
1
reference_url https://github.com/warner/python-ecdsa/issues/114
reference_id
reference_type
scores
url https://github.com/warner/python-ecdsa/issues/114
2
reference_url https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
reference_id
reference_type
scores
url https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
3
reference_url https://pypi.org/project/ecdsa/0.13.3/
reference_id
reference_type
scores
url https://pypi.org/project/ecdsa/0.13.3/
fixed_packages
0
url pkg:pypi/ecdsa@0.13.3
purl pkg:pypi/ecdsa@0.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ebg3-6ssf-dkcy
1
vulnerability VCID-kbjk-tnfz-rfdw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ecdsa@0.13.3
aliases PYSEC-2020-182
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-acg5-4qjn-sudc
2
url VCID-ebg3-6ssf-dkcy
vulnerability_id VCID-ebg3-6ssf-dkcy
summary 
Minerva timing attack on P-256 in python-ecdsa
python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the `ecdsa.SigningKey.sign_digest()` API function and timing signatures an attacker can leak the internal nonce which may allow for private key discovery. Both ECDSA signatures, key generation, and ECDH operations are affected. ECDSA signature verification is unaffected. The python-ecdsa project considers side channel attacks out of scope for the project and there is no planned fix.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23342.json
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-23342.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-23342
reference_id
reference_type
scores
0
value 0.00622
scoring_system epss
scoring_elements 0.70179
published_at 2026-04-29T12:55:00Z
1
value 0.00622
scoring_system epss
scoring_elements 0.7018
published_at 2026-04-26T12:55:00Z
2
value 0.00622
scoring_system epss
scoring_elements 0.70174
published_at 2026-04-24T12:55:00Z
3
value 0.00622
scoring_system epss
scoring_elements 0.70038
published_at 2026-04-02T12:55:00Z
4
value 0.00622
scoring_system epss
scoring_elements 0.7009
published_at 2026-04-13T12:55:00Z
5
value 0.00622
scoring_system epss
scoring_elements 0.70103
published_at 2026-04-12T12:55:00Z
6
value 0.00622
scoring_system epss
scoring_elements 0.70117
published_at 2026-04-11T12:55:00Z
7
value 0.00622
scoring_system epss
scoring_elements 0.70094
published_at 2026-04-09T12:55:00Z
8
value 0.00622
scoring_system epss
scoring_elements 0.70078
published_at 2026-04-08T12:55:00Z
9
value 0.00622
scoring_system epss
scoring_elements 0.70031
published_at 2026-04-07T12:55:00Z
10
value 0.00622
scoring_system epss
scoring_elements 0.70053
published_at 2026-04-04T12:55:00Z
11
value 0.00622
scoring_system epss
scoring_elements 0.70122
published_at 2026-04-21T12:55:00Z
12
value 0.00622
scoring_system epss
scoring_elements 0.70143
published_at 2026-04-18T12:55:00Z
13
value 0.00622
scoring_system epss
scoring_elements 0.70133
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-23342
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23342
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23342
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/tlsfuzzer/python-ecdsa
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/tlsfuzzer/python-ecdsa
5
reference_url https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-05-08T15:35:54Z/
url https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
6
reference_url https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-05-08T15:35:54Z/
url https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
7
reference_url https://minerva.crocs.fi.muni.cz
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://minerva.crocs.fi.muni.cz
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-23342
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-23342
9
reference_url https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2259780
reference_id 2259780
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2259780
11
reference_url https://github.com/advisories/GHSA-wj6h-64fc-37mp
reference_id GHSA-wj6h-64fc-37mp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wj6h-64fc-37mp
12
reference_url https://access.redhat.com/errata/RHSA-2024:10806
reference_id RHSA-2024:10806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10806
13
reference_url https://access.redhat.com/errata/RHSA-2024:1878
reference_id RHSA-2024:1878
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1878
fixed_packages
aliases CVE-2024-23342, GHSA-wj6h-64fc-37mp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ebg3-6ssf-dkcy
3
url VCID-kbjk-tnfz-rfdw
vulnerability_id VCID-kbjk-tnfz-rfdw
summary 
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys
## Summary

An issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions.

1. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected.

2. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service.

## Impact

Potential denial-of-service when parsing untrusted DER private keys due to unexpected internal exceptions, and malformed DER acceptance due to missing bounds checks in DER helper functions.

## Reproduction

Attach and run the following PoCs:

###  poc_truncated_der_octet.py

```python
from ecdsa.der import remove_octet_string, UnexpectedDER

# OCTET STRING (0x04)
# Declared length: 0x82 0x10 0x00  -> 4096 bytes
# Actual body: only 3 bytes -> truncated DER
bad = b"\x04\x82\x10\x00" + b"ABC"

try:
    body, rest = remove_octet_string(bad)
    print("[BUG] remove_octet_string accepted truncated DER.")
    print("Declared length=4096, actual body_len=", len(body), "rest_len=", len(rest))
    print("Body=", body)
    print("Rest=", rest)
except UnexpectedDER as e:
    print("[OK] Rejected malformed DER:", e)
```

- Expected: reject malformed DER when declared length exceeds available bytes
- Actual: accepts the truncated DER and returns a shorter body
- Example output:
```
Parsed body_len= 3 rest_len= 0 (while declared length is 4096)
```

### poc_signingkey_from_der_indexerror.py

```python
from ecdsa import SigningKey, NIST256p
import ecdsa

print("ecdsa version:", ecdsa.__version__)

sk = SigningKey.generate(curve=NIST256p)
good = sk.to_der()
print("Good DER len:", len(good))


def find_crashing_mutation(data: bytes):
    b = bytearray(data)

    # Try every OCTET STRING tag position and corrupt a short-form length byte
    for i in range(len(b) - 4):
        if b[i] != 0x04:  # OCTET STRING tag
            continue

        L = b[i + 1]
        if L >= 0x80:
            # skip long-form lengths for simplicity
            continue

        max_possible = len(b) - (i + 2)
        if max_possible <= 10:
            continue

        # Claim more bytes than exist -> truncation
        newL = min(0x7F, max_possible + 20)
        b2 = bytearray(b)
        b2[i + 1] = newL

        try:
            SigningKey.from_der(bytes(b2))
        except Exception as e:
            return i, type(e).__name__, str(e)

    return None


res = find_crashing_mutation(good)
if res is None:
    print("[INFO] No exception triggered by this mutation strategy.")
else:
    i, etype, msg = res
    print("[BUG] SigningKey.from_der raised unexpected exception type.")
    print("Offset:", i, "Exception:", etype, "Message:", msg)
```

- Expected: reject malformed DER with `UnexpectedDER` or `ValueError`
- Actual: deterministically triggers an internal `IndexError` (DoS risk)
- Example output:
```
Result: (5, 'IndexError', 'index out of bounds on dimension 1')
```

## Suggested fix

Add “declared length must fit buffer” checks in DER helper functions similarly to the existing check in `remove_sequence()`:

- `remove_octet_string()`
- `remove_constructed()`
- `remove_implicit()`

Additionally, consider catching unexpected internal exceptions in DER key parsing paths and re-raising them as `UnexpectedDER` to avoid crashy failure modes.

## Credit

Mohamed Abdelaal (@0xmrma)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33936.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33936.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33936
reference_id
reference_type
scores
0
value 0.00036
scoring_system epss
scoring_elements 0.10676
published_at 2026-04-26T12:55:00Z
1
value 0.00036
scoring_system epss
scoring_elements 0.10695
published_at 2026-04-24T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.10743
published_at 2026-04-21T12:55:00Z
3
value 0.00039
scoring_system epss
scoring_elements 0.11743
published_at 2026-04-29T12:55:00Z
4
value 0.00107
scoring_system epss
scoring_elements 0.28853
published_at 2026-04-13T12:55:00Z
5
value 0.00107
scoring_system epss
scoring_elements 0.28977
published_at 2026-04-02T12:55:00Z
6
value 0.00107
scoring_system epss
scoring_elements 0.28851
published_at 2026-04-18T12:55:00Z
7
value 0.00107
scoring_system epss
scoring_elements 0.29027
published_at 2026-04-04T12:55:00Z
8
value 0.00107
scoring_system epss
scoring_elements 0.28834
published_at 2026-04-07T12:55:00Z
9
value 0.00107
scoring_system epss
scoring_elements 0.28902
published_at 2026-04-08T12:55:00Z
10
value 0.00107
scoring_system epss
scoring_elements 0.28942
published_at 2026-04-09T12:55:00Z
11
value 0.00107
scoring_system epss
scoring_elements 0.28947
published_at 2026-04-11T12:55:00Z
12
value 0.00107
scoring_system epss
scoring_elements 0.28903
published_at 2026-04-12T12:55:00Z
13
value 0.00107
scoring_system epss
scoring_elements 0.28875
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33936
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33936
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33936
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/tlsfuzzer/python-ecdsa
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/tlsfuzzer/python-ecdsa
5
reference_url https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T13:44:27Z/
url https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3
6
reference_url https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T13:44:27Z/
url https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2
7
reference_url https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T13:44:27Z/
url https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33936
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33936
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132164
reference_id 1132164
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132164
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452539
reference_id 2452539
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452539
11
reference_url https://github.com/advisories/GHSA-9f5j-8jwj-x28g
reference_id GHSA-9f5j-8jwj-x28g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9f5j-8jwj-x28g
fixed_packages
0
url pkg:pypi/ecdsa@0.19.2
purl pkg:pypi/ecdsa@0.19.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ecdsa@0.19.2
aliases CVE-2026-33936, GHSA-9f5j-8jwj-x28g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kbjk-tnfz-rfdw
4
url VCID-qrf7-gnjg-bfat
vulnerability_id VCID-qrf7-gnjg-bfat
summary An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14853.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14853.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-14853
reference_id
reference_type
scores
0
value 0.00068
scoring_system epss
scoring_elements 0.20721
published_at 2026-04-29T12:55:00Z
1
value 0.00068
scoring_system epss
scoring_elements 0.20754
published_at 2026-04-26T12:55:00Z
2
value 0.00068
scoring_system epss
scoring_elements 0.20759
published_at 2026-04-24T12:55:00Z
3
value 0.00068
scoring_system epss
scoring_elements 0.20888
published_at 2026-04-21T12:55:00Z
4
value 0.00068
scoring_system epss
scoring_elements 0.20907
published_at 2026-04-18T12:55:00Z
5
value 0.00068
scoring_system epss
scoring_elements 0.20967
published_at 2026-04-12T12:55:00Z
6
value 0.00068
scoring_system epss
scoring_elements 0.20996
published_at 2026-04-09T12:55:00Z
7
value 0.00068
scoring_system epss
scoring_elements 0.20934
published_at 2026-04-08T12:55:00Z
8
value 0.00068
scoring_system epss
scoring_elements 0.20854
published_at 2026-04-07T12:55:00Z
9
value 0.00068
scoring_system epss
scoring_elements 0.2114
published_at 2026-04-04T12:55:00Z
10
value 0.00068
scoring_system epss
scoring_elements 0.21087
published_at 2026-04-02T12:55:00Z
11
value 0.00068
scoring_system epss
scoring_elements 0.20936
published_at 2026-04-01T12:55:00Z
12
value 0.00068
scoring_system epss
scoring_elements 0.20905
published_at 2026-04-16T12:55:00Z
13
value 0.00068
scoring_system epss
scoring_elements 0.20914
published_at 2026-04-13T12:55:00Z
14
value 0.00068
scoring_system epss
scoring_elements 0.21012
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-14853
2
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14853
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14853
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14853
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14853
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14859
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14859
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/advisories/GHSA-2mrj-435v-c2cr
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-2mrj-435v-c2cr
7
reference_url https://github.com/advisories/GHSA-pwfw-mgfj-7g3g
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-pwfw-mgfj-7g3g
8
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2019-177.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2019-177.yaml
9
reference_url https://github.com/warner/python-ecdsa
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/warner/python-ecdsa
10
reference_url https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
11
reference_url https://github.com/warner/python-ecdsa/security/advisories/GHSA-pwfw-mgfj-7g3g
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/warner/python-ecdsa/security/advisories/GHSA-pwfw-mgfj-7g3g
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-14853
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-14853
13
reference_url https://seclists.org/bugtraq/2019/Dec/33
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://seclists.org/bugtraq/2019/Dec/33
14
reference_url https://www.debian.org/security/2019/dsa-4588
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2019/dsa-4588
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1758704
reference_id 1758704
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1758704
16
reference_url https://access.redhat.com/errata/RHSA-2021:4702
reference_id RHSA-2021:4702
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4702
17
reference_url https://usn.ubuntu.com/4196-1/
reference_id USN-4196-1
reference_type
scores
url https://usn.ubuntu.com/4196-1/
fixed_packages
0
url pkg:pypi/ecdsa@0.13.3
purl pkg:pypi/ecdsa@0.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ebg3-6ssf-dkcy
1
vulnerability VCID-kbjk-tnfz-rfdw
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/ecdsa@0.13.3
aliases CVE-2019-14853, GHSA-2mrj-435v-c2cr, GHSA-pwfw-mgfj-7g3g, PYSEC-2019-177
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qrf7-gnjg-bfat
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/ecdsa@0.7