VYPR
← All advisories
Low severityNVD Advisory· Published Aug 2, 2024· Updated Nov 3, 2025

CVE-2024-42461

CVE-2024-42461

Description

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Elliptic.js 6.5.6 accepts BER-encoded ECDSA signatures without sufficient validation, allowing signature malleability attacks.

Vulnerability

Overview

The Elliptic package version 6.5.6 for Node.js contains a signature malleability vulnerability in its ECDSA implementation. The root cause is that the _importDER function in the library accepts BER-encoded signatures without performing critical validity checks on the decoded r and s values [1][3]. Specifically, the code fails to reject signatures where r or s have a leading zero byte (0x00) or where the high bit of the first byte is set (value ≥ 128), both of which can be used to produce different DER encodings of the same mathematical signature [3].

Exploitation

Context

An attacker can exploit this by taking a valid ECDSA signature for a given message and public key, then re-encoding it using BER (as opposed to the stricter DER) with added leading zero bytes or with a high-order bit set in the integer encoding. The vulnerable library will accept this modified signature as valid during verify() calls [2][4]. No authentication or special network position is required if the attacker can supply or modify signatures that the application subsequently verifies using the Elliptic library — for example, in scenarios where signed data (like JWTs, certificates, or blockchain transactions) is received from untrusted parties.

Impact

Successful exploitation allows an attacker to forge alternative yet valid signatures for the same message and public key pair. This undermines the non-repudiation property of ECDSA and can enable replay attacks or signature-based fraud. In systems where signature uniqueness is relied upon (e.g., double-spend prevention, audit logs), an attacker could present a different signature that still verifies, potentially bypassing integrity checks or causing state inconsistencies.

Mitigation

The vulnerability is fixed in commit accb61e [3], which adds validation for leading zero bytes and high-bit checks during DER import. Users should upgrade to Elliptic version 6.5.7 or later. As of the CVE publication date (August 2, 2024), no public exploit code or inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog has been reported.

References
  1. NVD - CVE-2024-42461
  2. GitHub - indutny/elliptic: Fast Elliptic Curve Cryptography in plain javascript
  3. lib: DER signature decoding correction · indutny/elliptic@accb61e
  4. Missing checks during decoding of signatures leading to a certain degree of malleability of ECDSA and EDDSA signatures by Markus-MS · Pull Request #317 · indutny/elliptic

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ellipticnpm
>= 5.2.1, < 6.5.76.5.7

Affected products

2
  • Node.js/Elliptic packagedescription
  • ghsa-coords
    pkg:npm/elliptic
    Range: >= 5.2.1, < 6.5.7

Patches

1
accb61e9c1a0

lib: DER signature decoding correction

https://github.com/indutny/ellipticMarkus SchiffermüllerAug 14, 2024via ghsa
commit
2 files changed · +11 0
  • lib/elliptic/ec/signature.js+10 0 modified
    @@ -38,6 +38,10 @@ function getLength(buf, p) {
     return false;
   }
 
+  if(buf[p.place] === 0x00) {
+    return false;
+  }
+
   var val = 0;
   for (var i = 0, off = p.place; i < octetLen; i++, off++) {
     val <<= 8;
@@ -86,6 +90,9 @@ Signature.prototype._importDER = function _importDER(data, enc) {
   if (rlen === false) {
     return false;
   }
+  if ((data[p.place] & 128) !== 0) {
+    return false;
+  }
   var r = data.slice(p.place, rlen + p.place);
   p.place += rlen;
   if (data[p.place++] !== 0x02) {
@@ -98,6 +105,9 @@ Signature.prototype._importDER = function _importDER(data, enc) {
   if (data.length !== slen + p.place) {
     return false;
   }
+  if ((data[p.place] & 128) !== 0) {
+    return false;
+  }
   var s = data.slice(p.place, slen + p.place);
   if (r[0] === 0) {
     if (r[1] & 0x80) {
  • lib/elliptic/eddsa/signature.js+1 0 modified
    @@ -21,6 +21,7 @@ function Signature(eddsa, sig) {
     sig = parseBytes(sig);
 
   if (Array.isArray(sig)) {
+    assert(sig.length === eddsa.encodingLength * 2, 'Signature has invalid size');
     sig = {
       R: sig.slice(0, eddsa.encodingLength),
       S: sig.slice(eddsa.encodingLength),

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.