VYPR
← All advisories
Low severityNVD Advisory· Published Oct 10, 2024· Updated Nov 25, 2025

CVE-2024-48949

CVE-2024-48949

Description

The verify function in lib/elliptic/eddsa/index.js in the Elliptic package before 6.5.6 for Node.js omits "sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()" validation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Elliptic package before 6.5.6 for Node.js omits validation of signature S component in EdDSA verification, allowing potential signature forgery.

The vulnerability lies in the verify function in lib/elliptic/eddsa/index.js of the Elliptic package for Node.js. The function omits a critical validation check: sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg(). This check ensures that the signature's S value is less than the curve order n and is not negative. Without this check, signatures with invalid S values are accepted [1][2].

An attacker can exploit this by crafting a signature where the S component is greater than or equal to the curve order, or negative. The missing validation means such signatures are incorrectly accepted by the verification algorithm. No special network position or authentication is required beyond the ability to present a forged signature for verification [2].

Successful exploitation allows an attacker to forge valid EdDSA signatures for any message using the target's public key. This completely breaks the authentication and integrity guarantees provided by EdDSA, potentially leading to impersonation or data tampering [2].

The issue was discovered using Wycheproof test vectors by Trail of Bits and has been patched in Elliptic version 6.5.6 [2][3]. Users should update to 6.5.6 or later immediately. No workarounds are available; updating is the only mitigation.

References
  1. NVD - CVE-2024-48949
  2. "We found cryptography bugs in the elliptic library using Wycheproof"
  3. Comparing v6.5.5...v6.5.6 · indutny/elliptic

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ellipticnpm
< 6.5.66.5.6

Affected products

76

Patches

1
7ac5360118f7

Merge commit from fork

https://github.com/indutny/ellipticMarkus-MSJul 17, 2024via ghsa
commit
1 file changed · +3 0
  • lib/elliptic/eddsa/index.js+3 0 modified
    @@ -52,6 +52,9 @@ EDDSA.prototype.sign = function sign(message, secret) {
 EDDSA.prototype.verify = function verify(message, sig, pub) {
   message = parseBytes(message);
   sig = this.makeSignature(sig);
+  if (sig.S().gte(sig.eddsa.curve.n) || sig.S().isNeg()) {
+    return false;
+  }
   var key = this.keyFromPublic(pub);
   var h = this.hashInt(sig.Rencoded(), key.pubBytes(), message);
   var SG = this.g.mul(sig.S());

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.