• We found cryptography bugs in the elliptic library using Wycheproof Trail of Bits is publicly disclosing two vulnerabilities in elliptic, a widely used JavaScript library for elliptic curve cryptography that is downloaded over 10 million times weekly and is used by close to 3,000 projects. • These vulnerabilities, caused by missing modular reductions and a missing length check, could allow attackers to forge signatures or prevent valid signatures from being verified, respectively. • One vulnerability is still not fixed after a 90-day disclosure window that ended in October 2024. • It remains unaddressed as of this publication. • I discovered these vulnerabilities using Wycheproof, a collection of test vectors designed to test various cryptographic algorithms against known vulnerabilities. • If you’d like to learn more about how to use Wycheproof, check out this guide I published.
Article Summaries:
- Trail of Bits has publicly disclosed two critical vulnerabilities in the widely used JavaScript elliptic curve library, “elliptic,” which receives over 10 million downloads weekly. Using the Wycheproof test suite, the team identified missing modular reductions and a missing length check that can enable attackers to forge EdDSA signatures or cause valid ECDSA signatures to be rejected. Five vulnerabilities were found in total, resulting in five CVE assignments; two of these were more severe and were disclosed privately. One of the major flaws remains unfixed after a 90‑day disclosure window that closed in October 2024.
Sources: