CVE-2024-42461 – This vulnerability in the Elliptic package for ... (How to Fix)

📋 TL;DR

This vulnerability in the Elliptic package for Node.js allows attackers to create multiple valid signatures for the same message due to BER-encoded signature acceptance. This affects any Node.js application using Elliptic 6.5.6 for ECDSA signature verification, potentially enabling signature forgery attacks.

💻 Affected Systems

Products:

Node.js applications using the elliptic npm package

Versions: Elliptic package version 6.5.6 specifically

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects ECDSA signature verification using the vulnerable elliptic package version. Applications not using ECDSA or using other signature libraries are unaffected.

📦 What is this software?

Elliptic by Elliptic Project

View all CVEs affecting Elliptic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could forge digital signatures to impersonate legitimate users, bypass authentication, or tamper with signed data in critical systems like blockchain transactions or authentication tokens.

🟠

Likely Case

Signature malleability could be exploited to create alternative valid signatures, potentially bypassing signature uniqueness checks in applications that rely on ECDSA for verification.

🟢

If Mitigated

With proper input validation and signature format checking, the impact is reduced to potential compatibility issues with systems expecting strict DER encoding.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to submit crafted signatures to vulnerable applications. The GitHub PR demonstrates the vulnerability and fix.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Elliptic 6.5.7 and later

Vendor Advisory: https://github.com/indutny/elliptic/pull/317

Restart Required: Yes

Instructions:

1. Update elliptic package: npm update elliptic
2. Verify version is 6.5.7 or higher: npm list elliptic
3. Restart Node.js application
4. Test signature verification functionality

🔧 Temporary Workarounds

Signature validation wrapper

all

Implement custom signature verification that rejects BER-encoded signatures before passing to elliptic

🧯 If You Can't Patch

Implement strict signature format validation at application layer to reject non-DER encoded signatures
Monitor for unusual signature patterns or multiple valid signatures for same message

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list elliptic | grep 6.5.6

Check Version:

npm list elliptic

Verify Fix Applied:

Verify elliptic version is 6.5.7+: npm list elliptic | grep -E '6\.5\.([7-9]|[1-9][0-9]+)'

📡 Detection & Monitoring

Log Indicators:

Multiple successful signature verifications for same message/data
Signature verification errors with BER encoding mentions

Network Indicators:

Unusual signature submission patterns
Repeated signature attempts with slight variations

SIEM Query:

signature_verification AND (multiple_attempts OR format_error)

📊 Metadata

CVE ID: CVE-2024-42461

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-347

Published: August 2, 2024

Last Updated: November 3, 2025

🔗 References

https://github.com/indutny/elliptic/pull/317 Issue Tracking,Patch
https://security.netapp.com/advisory/ntap-20241004-0005/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42461, you might also want to check these: