Security issue: outdated cryptography is used

shinyoshiaki / werift-webrtc

WebRTC Implementation for TypeScript (Node.js), includes ICE/DTLS/SCTP/RTP/SRTP/WEBM/MP4

MIT License

463 stars 29 forks source link

Security issue: outdated cryptography is used #357

Closed paulmillr closed 8 months ago

paulmillr commented 8 months ago

You're using elliptic, which has long been unmaintained, and has a few cases where it produces invalid outputs, which means in blockchain context "users lose money".

It is advised to replace it with audited @noble/curves.

shinyoshiaki commented 8 months ago

Thanks for the advice. I'll try to migration.

shinyoshiaki commented 8 months ago

done it #358

paulmillr commented 8 months ago

not done. you didnt remove elliptic

shinyoshiaki commented 8 months ago

finally #359