Vulnerability Directory | CVE-2025-14505 | Elliptic

Overview

Elliptic is an implementation of Elliptic-Curve (EC) cryptography algorithms in plain JavaScript. It can be used to add support for cryptographic operations, including signing/verification, in front-end and back-end applications.

‍

A faulty implementation and cryptanalysis vulnerability (CVE-2025-14505) has been identified in Elliptic’s implementation of ECDSA. This can lead to generating invalid signatures and thus potentially breaking legitimate transactions or communications. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature.

‍

Per CAPEC: Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).

‍

This issue affects all currently published versions of Elliptic (with the latest published version being 6.6.1).

‍

Details

Module Info

Product: Elliptic
Affected packages: elliptic
Affected versions: <=6.6.1
GitHub repository: https://github.com/indutny/elliptic
Published packages: https://www.npmjs.com/package/elliptic
Package manager: npm
Fixed in: NES for Elliptic v6.6.3

‍

Vulnerability Info

This Medium-severity vulnerability is found in the ECDSA implementation of the elliptic package in all published versions of Elliptic.

‍

Elliptic’s implementation of ECDSA follows RFC 6979 - Deterministic Usage of the DSA and ECDSA. While computing the value of k (as described in step 3.2 of the RFC), elliptic may incorrectly truncate the value, if the interim value of k happens to have leading zeros, because the byte-length of k is incorrectly computed. This leads to generating invalid signatures, which will break legitimate transactions or communications.

‍

Additionally, if one could get their hands on one of the faulty signatures generated by a vulnerable version of elliptic and a correct signature (based on the same input and key), then they could potentially derive the secret key. This could, for example, happen if a user of elliptic supplied the wrong signature (using a vulnerable version) and later supplied the correct signature after switching to a different (non-faulty) implementation.

‍

CAUTION:

In light of the danger of key exposure, all users of elliptic are strongly advised to invalidate the keys they have used to generate signatures with a vulnerable version of the package, after upgrading to a correct implementation–either a patched version of elliptic or a different implementation that doesn't suffer from this issue.

‍

Steps To Reproduce

Create a new project and install the elliptic package.
Create a script that uses elliptic to generate a signature from specific input values that trigger the issue:

// Import `elliptic`.
const elliptic = require('elliptic');

// Initialize values.
const ec = new elliptic.ec('p521');
const key = ec.keyFromPrivate('01535d22d63de9195efd4c41358ddc89c68b6cc202b558fbf48a09e95dddf953afc1b4cfed6df0f3330f986735085e367fd07030c3ab49dcd3461197b00f09a064fb', 'hex');
const msg = ec.hash().update('12f830e9591916ec', 'hex').digest();
const sigExpected = '308188024201e92eeaf15414d4af3ee933825131867b6cb10234f28336ac976a99127139f23100458a9ee7184bfa64540ba385331eb3b469f491b3da013c42ad154a5907f554f0024200db3703c6d51b8a85c10c21b7643fe751781a7ad5708e3a944107f6da086afdc8532765871a9cabc81cec0f5b28ee59f0c72b48b72a39ae2d230dfb03afb9968a94';

// Generate signature.
const sigActual = key.sign(msg, {canonical: true}).toDER('hex');

// Check signature.
if (sigActual === sigExpected) {
  console.log('Signature computed correctly.');
} else {
  console.error('Signature computed incorrectly.');
  console.error(`  Expected signature: ${sigExpected}`);
  console.error(`  Actual signature:   ${sigActual}`);
  process.exit(1);
}

Run the script with Node.js and observe that the generated signature is different than the expected one: node /path/to/script
You can use a non-faulty implementation to generate the correct signature. For example, the following code can be used to generate the correct signature for the same key and message with the @noble/curves package (v2.0.1):

// Import `@noble/curves`.
const {p521} = require('@noble/curves/nist.js');
const {bytesToHex, hexToBytes} = require('@noble/curves/utils.js');

// Initialize values.
const key = hexToBytes('01535d22d63de9195efd4c41358ddc89c68b6cc202b558fbf48a09e95dddf953afc1b4cfed6df0f3330f986735085e367fd07030c3ab49dcd3461197b00f09a064fb');
const msg = hexToBytes('12f830e9591916ec');

// Generate signature.
const sig = bytesToHex(p521.sign(msg, key, {format: 'der'}));
console.log(`Signature: ${sig}`);

‍

Mitigation

Even though the Elliptic project is not officially End-of-Life at the time of writing, it has not received an update–including a fix for this issue–since November 2024. This is despite the issue’s having been discussed on the project’s issue tracker.

‍

Users of the affected components should apply one of the following mitigations: