Overview
- Description
- secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, `loadCompressedPublicKey` is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. `publicKeyVerify()` incorrectly returning `true` on those invalid keys, and e.g. `publicKeyTweakMul()` also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
Risk scores
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
Weaknesses
- security-advisories@github.com
- CWE-354
Social media
- Hype score
- Not currently trending
#exploit 1. CVE-2024-41992: Arcadyan FMIMG51AX000J (WiFi Alliance) RCE https://t.co/sEFIb4BUpN 2. CVE-2024-48930: Remote Private key extraction over ECDH (11 session..) https://t.co/LzRl2pvBhV
@ksg93rd
28 Oct 2024
423 Impressions
0 Retweets
6 Likes
0 Bookmarks
0 Replies
0 Quotes
#exploit 1. CVE-2024-41992: Arcadyan FMIMG51AX000J (WiFi Alliance) RCE https://t.co/NUO6IxocvM 2. CVE-2024-48930: Remote Private key extraction over ECDH (11 session..) https://t.co/daRcBIpmxv
@akaclandestine
28 Oct 2024
4104 Impressions
38 Retweets
88 Likes
30 Bookmarks
6 Replies
0 Quotes
If you are using secp256k1-node, be aware of CVE-2024-48930. Attackers can extract private keys if they can control the public key in ECDH. https://t.co/iAQktUnDFN https://t.co/222MxoCOh2
@shoucccc
21 Oct 2024
9918 Impressions
21 Retweets
114 Likes
59 Bookmarks
2 Replies
1 Quote
If you are using secp256k1-node, be aware of CVE-2024-48930. Attackers can extract private keys if they can control the public key in ECDH. https://t.co/y3KIsGmQYZ
@shoucccc
21 Oct 2024
129 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-48930: HIGH] New security update! secp256k1-node for Node.js had a vulnerability allowing attackers to extract private key info. Update to versions 5.0.1, 4.0.4, or 3.8.1 for the fix. #cybersecurity#cybersecurity,#vulnerability https://t.co/0rwjBwxLy1 https://t.co/QOIAD
@CveFindCom
21 Oct 2024
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-48930 secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` has a ch… https://t.co/QQncu1qpBu
@CVEnew
21 Oct 2024
393 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes