search

indutny / elliptic

Fast Elliptic Curve Cryptography in plain javascript
1.69k stars 373 forks source link

Improper Verification of Cryptographic Signature (CVE-2024-48948) #323

Open avembankottu opened 1 week ago

avembankottu commented 1 week ago

https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303

bora-yuksel-1 commented 1 week ago

+1 to this, seems like a PR is already open for this issue: https://github.com/indutny/elliptic/pull/322

un4ckn0wl3z commented 1 week ago

+1

avembankottu commented 1 week ago

any idea when will it get merged ?

LordOfCinder2000 commented 1 week ago

+1

paulmillr commented 6 days ago
  1. This is not CVE: just a bug.
  2. Maintainer is currently focused on other important things, so it's unclear when it would be fixed.
  3. Switch to newer package noble-curves instead.
jcheung-xmatters commented 1 day ago

+1 Unfortunately it's not as simple as "switch to another package", as this library is a dependency 4 levels down in my project.

chadlwilson commented 8 hours ago

Fixed in 6.6.0 via https://github.com/indutny/elliptic/pull/326 - you can close this issue now.