The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows.

Question

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows.

bsomeshwer opened this issue 4 years ago · 0 comments

Hi

Issue:

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, 
leading '\0' bytes, or integer overflows. 

This could conceivably have a security-relevant impact if an application relied on a  
single canonical signature. I'm using Elliptic 6.5.3 version but still I'm facing this issue in my project.

Could you please let me know what could be the reason for this?

I tried npm install elliptic@6.5.3
and
npm audit fix
and I played around lot of other ways but still issue persists.

Thanks

Image reference:

**

Note: Actually, this issue is throwing by node-libs-browser. node-libs-browser is internally using few packages and those packages are internally using elliptic.

**