Miggo Logo
Miggo Vulnerability Database
CVE-2022-44310

CVE-2022-44310: ecdh vulnerable to Exposure of Resource to Wrong Sphere

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-44310
GHSA ID
GHSA-p2hp-3wv3-4w74
EPSS Score
0.20008%
CWE
CWE-668
Published
2/24/2023
Updated
3/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ecdhnpm< 0.2.00.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing curve validation in the shared secret derivation process. The pre-patch code in index.js only checked for the existence of publicKey.Q (line 165) but didn't verify the point's validity on the curve. The fix introduced an 'onCurve' validation check within deriveSharedSecret, confirming this was the missing security control. The CVE description and associated issue #3 explicitly reference this attack vector through invalid points, directly implicating the deriveSharedSecret function as the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **v*lopm*nt IL **** ***or* *.*.*, *n *tt**k*r **n s*n* *n inv*li* point (not on t** *urv*) *s t** pu*li* k*y, *n* o*t*in t** **riv** s**r** s**r*t.

Reasoning

T** vuln*r**ility st*ms *rom missin* *urv* v*li**tion in t** s**r** s**r*t **riv*tion `pro**ss`. T** pr*-p*t** *o** in `in**x.js` only ****k** *or t** *xist*n** o* `pu*li*K*y.Q` (lin* ***) *ut *i*n't v*ri*y t** point's v*li*ity on t** *urv*. T** *ix