CVE-2024-42459

In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.
References
Link Resource
https://github.com/indutny/elliptic/pull/317 Exploit Issue Tracking
Configurations

Configuration 1 (hide)

cpe:2.3:a:indutny:elliptic:6.5.6:*:*:*:*:node.js:*:*

History

20 Jun 2025, 16:28

Type Values Removed Values Added
CPE cpe:2.3:a:indutny:elliptic:6.5.6:*:*:*:*:node.js:*:*
References () https://github.com/indutny/elliptic/pull/317 - () https://github.com/indutny/elliptic/pull/317 - Exploit, Issue Tracking
First Time Indutny
Indutny elliptic

02 Aug 2024, 15:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
CWE CWE-347

02 Aug 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) En el paquete Elliptic 6.5.6 para Node.js, la maleabilidad de la firma EDDSA se produce porque falta una verificación de longitud de la firma y, por lo tanto, se pueden eliminar o agregar bytes con valor cero.

02 Aug 2024, 07:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-02 07:16

Updated : 2025-06-20 16:28


NVD link : CVE-2024-42459

Mitre link : CVE-2024-42459

CVE.ORG link : CVE-2024-42459


JSON object : View

Products Affected

indutny

  • elliptic
CWE
CWE-347

Improper Verification of Cryptographic Signature