SNYK-JS-ELLIPTIC-1064899
## Overview [elliptic](https://www.npmjs.com/package/elliptic) is a fast elliptic-curve cryptography implementation in plain javascript. Affected versions of this package are vulnerable to Cryptographic Issues via the `secp256k1` implementation in `elliptic/ec/key.js`. There is no check to confirm that the public key point passed into the derive function actually exists on the `secp256k1` curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed. ## Remediation Upgrade `elliptic` to version 6.5.4 or higher. ## References - [GitHub Commit](https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f) - [Reporter Blog](https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Jan 26, 2021 CVE Updated
- Feb 3, 2021 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899 advisory
- https://learn.snyk.io/lesson/insecure-hash/ technical
- https://www.npmjs.com/package/elliptic vendor
- https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f patch
- https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md technical