The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows.
bsomeshwer opened this issue · comments
Someshwer Bandapally commented
Hi
Issue:
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding,
leading '\0' bytes, or integer overflows.
This could conceivably have a security-relevant impact if an application relied on a
single canonical signature. I'm using Elliptic 6.5.3 version but still I'm facing this issue in my project.
Could you please let me know what could be the reason for this?
I tried npm install elliptic@6.5.3
and
npm audit fix
and I played around lot of other ways but still issue persists.
Thanks
Image reference:
Note: Actually, this issue is throwing by crypto-browserify. crypto-browserify is internally using few packages and those packages are internally using elliptic.
borisvida commented
It seems that it's needed to update create-ecdh
and crypto-browserify
dependencies, both should be already patched.
Daniel Gustaw commented
It can be updated now because of
it was fixed in 4.0.4
https://github.com/crypto-browserify/createECDH/releases
This pull request:
Calvin Metcalf commented
this should automatically be included in the version range