The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Affected Packages

npm elliptic

Affected versions: 0 (fixed in 6.6.0)

Related CVEs

CVE-2024-48948

Key Information

GHSA ID

GHSA-fc9h-whq2-v747

Published

October 15, 2024 3:30 PM

Last Modified

December 20, 2024 3:30 PM

CVSS Score

2.5 /10

Primary Ecosystem

npm

Primary Package

elliptic

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.