CVE-2024-48948: The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least...

Description

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

Classification

CVE ID: CVE-2024-48948

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 0.11437 (how common is this exploit)

EPSS Date: 2025-02-03 (when was this score calculated)

Timeline

2024-12-21 00:30:35 UTC
CVE

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least...
2025-03-06 09:45:39 UTC
Tenable Plugins

Linux Distros Unpatched Vulnerability : CVE-2024-48948