Miggo Logo
Miggo Vulnerability Database
CVE-2024-42459

CVE-2024-42459: Elliptic's EDDSA missing signature length check

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-42459
GHSA ID
GHSA-f7q4-pwc6-w24p
EPSS Score
0.23614%
CWE
CWE-347
Published
8/2/2024
Updated
8/15/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ellipticnpm>= 4.0.0, <= 6.5.66.5.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing signature length validation in EDDSA implementation. The commit accb61e adds a critical assertion (assert(sig.length === eddsa.encodingLength * 2)) in lib/elliptic/eddsa/signature.js to fix this. The original code in Signature constructor processed arbitrary-length arrays, enabling signature malleability through zero-byte manipulation. This matches the CVE description of 'missing signature length check' allowing byte modification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In t** *llipti* p**k*** *.*.* *or No**.js, ***S* si*n*tur* m*ll***ility o**urs ****us* t**r* is * missin* si*n*tur* l*n*t* ****k, *n* t*us z*ro-v*lu** *yt*s **n ** r*mov** or *pp*n***.

Reasoning

T** vuln*r**ility st*ms *rom missin* si*n*tur* l*n*t* v*li**tion in `***S*` impl*m*nt*tion. T** *ommit `*******` ***s * *riti**l *ss*rtion (`*ss*rt(si*.l*n*t* === ***s*.*n*o*in*L*n*t* * *)`) in `li*/*llipti*/***s*/si*n*tur*.js` to *ix t*is. T** ori*i