Skip to main content

Improper Handling of Length Parameter Inconsistency

CVE-2024-42460

Severity Medium
Score 5.3/10

Summary

In elliptic package versions 2.0.0 through 6.5.6 are vulnerable to Improper Handling of Length Parameter Inconsistency. In the elliptic package for Node.js, "ECDSA" signature malleability occurs due to a missing check for whether the leading bit of "r" and "s" is zero. This has the same fix commit as CVE-2024-42461.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • LOW
  • NONE

CWE-130 - Improper Handling of Length Parameter Inconsistency

The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

Advisory Timeline

  • Published