VYPR
← All advisories
Low severityNVD Advisory· Published Oct 15, 2024· Updated Nov 25, 2025

CVE-2024-48948

CVE-2024-48948

Description

The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Elliptic 6.5.7 for Node.js incorrectly rejects valid ECDSA signatures when the hash has four leading zero bytes and exceeds curve order, due to a truncation bug.

Vulnerability

Overview

CVE-2024-48948 affects the Elliptic package version 6.5.7 for Node.js. The ECDSA signature verification routine contains a bug in the _truncateToN function: when the hash contains at least four leading zero bytes and the order of the elliptic curve's base point is smaller than the hash, the truncation logic fails, causing valid signatures to be incorrectly rejected [1][3]. This anomaly arises because the library does not properly account for leading zero bytes when computing the hash length, leading to an incorrect truncation of the hash value [4].

Exploitation and

Attack Surface

The vulnerability is triggered during signature verification. An attacker does not need to actively exploit this bug; rather, any legitimate transaction or communication that produces a hash with the required properties (four leading zero bytes and a hash length exceeding the curve order) will be falsely flagged as invalid. This can occur naturally in systems that use elliptic for ECDSA verification, such as blockchain applications or secure messaging [1]. No special network position or authentication is required to encounter the bug—it manifests during normal operation.

Impact

The primary impact is a denial of service or reliability issue: legitimate signatures are rejected, causing transactions or communications to fail. This can disrupt services that rely on ECDSA verification, potentially leading to financial loss or operational downtime. The bug does not allow signature forgery, but it undermines the correctness of the verification process [1][3].

Mitigation

The issue has been addressed in a pull request that was merged into the elliptic repository [4]. Users should update to a version that includes the fix (e.g., version 6.5.8 or later). The fix ensures that the hash length is correctly computed by counting leading zero bits in hex strings and all array entries in Buffer-like messages, aligning with FIPS 186-5 guidelines [4]. No workaround is available other than upgrading.

References
  1. "We found cryptography bugs in the elliptic library using Wycheproof"
  2. NVD - CVE-2024-48948
  3. ECDSA signature verification error due to leading zero by Markus-MS · Pull Request #322 · indutny/elliptic

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ellipticnpm
< 6.6.06.6.0

Affected products

76

Patches

1
34c853478cec

fix: signature verification due to leading zeros

https://github.com/indutny/ellipticFedor IndutnyOct 26, 2024via ghsa
commit
3 files changed · +73 7
  • lib/elliptic/ec/index.js+27 5 modified
    @@ -78,8 +78,27 @@ EC.prototype.genKeyPair = function genKeyPair(options) {
   }
 };
 
-EC.prototype._truncateToN = function _truncateToN(msg, truncOnly) {
-  var delta = msg.byteLength() * 8 - this.n.bitLength();
+EC.prototype._truncateToN = function _truncateToN(msg, truncOnly, bitLength) {
+  var byteLength;
+  if (BN.isBN(msg) || typeof msg === 'number') {
+    msg = new BN(msg, 16);
+    byteLength = msg.byteLength();
+  } else if (typeof msg === 'object') {
+    // BN assumes an array-like input and asserts length
+    byteLength = msg.length;
+    msg = new BN(msg, 16);
+  } else {
+    // BN converts the value to string
+    var str = msg.toString();
+    // HEX encoding
+    byteLength = (str.length + 1) >>> 1;
+    msg = new BN(str, 16);
+  }
+  // Allow overriding
+  if (typeof bitLength !== 'number') {
+    bitLength = byteLength * 8;
+  }
+  var delta = bitLength - this.n.bitLength();
   if (delta > 0)
     msg = msg.ushrn(delta);
   if (!truncOnly && msg.cmp(this.n) >= 0)
@@ -97,7 +116,7 @@ EC.prototype.sign = function sign(msg, key, enc, options) {
     options = {};
 
   key = this.keyFromPrivate(key, enc);
-  msg = this._truncateToN(new BN(msg, 16));
+  msg = this._truncateToN(msg, false, options.msgBitLength);
 
   // Zero-extend key to provide enough entropy
   var bytes = this.n.byteLength();
@@ -153,8 +172,11 @@ EC.prototype.sign = function sign(msg, key, enc, options) {
   }
 };
 
-EC.prototype.verify = function verify(msg, signature, key, enc) {
-  msg = this._truncateToN(new BN(msg, 16));
+EC.prototype.verify = function verify(msg, signature, key, enc, options) {
+  if (!options)
+    options = {};
+
+  msg = this._truncateToN(msg, false, options.msgBitLength);
   key = this.keyFromPublic(key, enc);
   signature = new Signature(signature, 'hex');
  • lib/elliptic/ec/key.js+2 2 modified
    @@ -111,8 +111,8 @@ KeyPair.prototype.sign = function sign(msg, enc, options) {
   return this.ec.sign(msg, this, enc, options);
 };
 
-KeyPair.prototype.verify = function verify(msg, signature) {
-  return this.ec.verify(msg, signature, this);
+KeyPair.prototype.verify = function verify(msg, signature, options) {
+  return this.ec.verify(msg, signature, this, undefined, options);
 };
 
 KeyPair.prototype.inspect = function inspect() {
  • test/ecdsa-test.js+44 0 modified
    @@ -489,6 +489,50 @@ describe('ECDSA', function() {
       });
     });
 
+  it('Wycheproof special hash case with hex', function() {
+    var curve = new elliptic.ec('p192');
+    var msg =
+      '00000000690ed426ccf17803ebe2bd0884bcd58a1bb5e7477ead3645f356e7a9';
+    var sig = '303502186f20676c0d04fc40ea55d5702f798355787363a9' +
+              '1e97a7e50219009d1c8c171b2b02e7d791c204c17cea4cf5' +
+              '56a2034288885b';
+    var pub = '04cd35a0b18eeb8fcd87ff019780012828745f046e785deb' +
+              'a28150de1be6cb4376523006beff30ff09b4049125ced29723';
+    var pubKey = curve.keyFromPublic(pub, 'hex');
+    assert(pubKey.verify(msg, sig) === true);
+  });
+
+  it('Wycheproof special hash case with Array', function() {
+    var curve = new elliptic.ec('p192');
+    var msg = [
+      0x00, 0x00, 0x00, 0x00, 0x69, 0x0e, 0xd4, 0x26, 0xcc, 0xf1, 0x78,
+      0x03, 0xeb, 0xe2, 0xbd, 0x08, 0x84, 0xbc, 0xd5, 0x8a, 0x1b, 0xb5,
+      0xe7, 0x47, 0x7e, 0xad, 0x36, 0x45, 0xf3, 0x56, 0xe7, 0xa9,
+    ];
+    var sig = '303502186f20676c0d04fc40ea55d5702f798355787363a9' +
+              '1e97a7e50219009d1c8c171b2b02e7d791c204c17cea4cf5' +
+              '56a2034288885b';
+    var pub = '04cd35a0b18eeb8fcd87ff019780012828745f046e785deb' +
+              'a28150de1be6cb4376523006beff30ff09b4049125ced29723';
+    var pubKey = curve.keyFromPublic(pub, 'hex');
+    assert(pubKey.verify(msg, sig) === true);
+  });
+
+  it('Wycheproof special hash case with BN', function() {
+    var curve = new elliptic.ec('p192');
+    var msg = new BN(
+      '00000000690ed426ccf17803ebe2bd0884bcd58a1bb5e7477ead3645f356e7a9',
+      16,
+    );
+    var sig = '303502186f20676c0d04fc40ea55d5702f798355787363a9' +
+              '1e97a7e50219009d1c8c171b2b02e7d791c204c17cea4cf5' +
+              '56a2034288885b';
+    var pub = '04cd35a0b18eeb8fcd87ff019780012828745f046e785deb' +
+              'a28150de1be6cb4376523006beff30ff09b4049125ced29723';
+    var pubKey = curve.keyFromPublic(pub, 'hex');
+    assert(pubKey.verify(msg, sig, { msgBitLength: 32 * 8 }) === true);
+  });
+
   describe('Signature', function () {
     it('recoveryParam is 0', function () {
       var sig = new Signature({ r: '00', s: '00', recoveryParam: 0 });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.