Find, fix and prevent vulnerabilities in your code.
medium severity
new
- Vulnerable module: elliptic
- Introduced through: @ethersproject/providers@5.8.0
Detailed paths
-
Introduced through: near-rpc-providers@blockcoders/near-rpc-providers#e47765154f6980181a6968a6322fa9e5aade3158 › @ethersproject/providers@5.8.0 › @ethersproject/transactions@5.8.0 › @ethersproject/signing-key@5.8.0 › elliptic@6.6.1
-
Introduced through: near-rpc-providers@blockcoders/near-rpc-providers#e47765154f6980181a6968a6322fa9e5aade3158 › @ethersproject/providers@5.8.0 › @ethersproject/abstract-provider@5.8.0 › @ethersproject/transactions@5.8.0 › @ethersproject/signing-key@5.8.0 › elliptic@6.6.1
-
Introduced through: near-rpc-providers@blockcoders/near-rpc-providers#e47765154f6980181a6968a6322fa9e5aade3158 › @ethersproject/providers@5.8.0 › @ethersproject/abstract-signer@5.8.0 › @ethersproject/abstract-provider@5.8.0 › @ethersproject/transactions@5.8.0 › @ethersproject/signing-key@5.8.0 › elliptic@6.6.1
-
Introduced through: near-rpc-providers@blockcoders/near-rpc-providers#e47765154f6980181a6968a6322fa9e5aade3158 › @ethersproject/providers@5.8.0 › @ethersproject/hash@5.8.0 › @ethersproject/abstract-signer@5.8.0 › @ethersproject/abstract-provider@5.8.0 › @ethersproject/transactions@5.8.0 › @ethersproject/signing-key@5.8.0 › elliptic@6.6.1
Overview
elliptic is a fast elliptic-curve cryptography implementation in plain javascript.
Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to the incorrect computation of the byte-length of k value with leading zeros resulting in its truncation. An attacker can obtain the secret key by analyzing both a faulty signature generated by a vulnerable implementation and a correct signature for the same inputs.
Note:
There is a distinct but related issue CVE-2024-48948.
Remediation
There is no fixed version for elliptic.