Full Report
During the authors internship at Trail of Bits, they setup the tool wycheproof on a JavaScript library called elliptic. The idea behind this package is great: let's take a collection of known attacks against cryptographic protocols and run them against the library. This plugin drastically improves the security confidence in a library imo. They claim this test suite would be good for CI/CD. To do this, they had to setup a harness around elliptic for wycheproof. Once this was done, they ran the tool over the library. They had several findings that they started to triage as either false positives or real findings. When trying to integrate, there's also a question of did I set this up correctly or are these issues my fault? The first issue they call out is around EdDSA signature malleability. Ellipic curves have two valid y points. In reality, only one of these should be allowed, according to specifications. This is technically valid math but bad for many cryptography purposes. This could lead to consensus failures or replay protection bypasses. Personally, I don't think that cryptographic libraries should enforce the malleability because it is desirable in some cases but I'm not a cryptography expert so what do I know. This was the vulnerability that was fixed while the next one was not. The second bug is that hashes with leading zeros can cause a signature to become invalid. This appears to be a string parsing bug where the conversion new BN(msg, 16) removes the leading zeros. When it's used later, some offset math is wrong as a result. This bug was never fixed. The usage of the cryptography testing library is interesting. However, I'm not sure that these are security "vulnerabilities". I agree that they differ from the specification. In the context of blockchain where two libraries need to have perfect parity, these are both bugs for sure. In the context of causing damage via signature validation, the first one has merit in specific situations while the second does not. Funny point at the end: Wycheproof test developer Daniel Bleichenbacher independently discovered and disclosed issue #321, which is related to this discovery. This is a really famous cryptography person who discovered some attacks on RSA back in the day. It's cool he's still in the game!
Analysis Summary
# Vulnerability: Multiple Cryptographic Flaws in 'elliptic' Library
## CVE Details
- **CVE ID**: CVE-2024-48949 (EdDSA Malleability), CVE-2024-48948 (ECDSA Verification Error)
- **CVSS Score**: Not explicitly rated in source (Estimated Medium to High depending on implementation context)
- **CWE**: CWE-347 (Improper Verification of Cryptographic Signature), CWE-682 (Incorrect Calculation)
## Affected Systems
- **Products**: `elliptic` (JavaScript library)
- **Versions**:
- CVE-2024-48949: Versions prior to the July 16, 2024 patch.
- CVE-2024-48948: All versions (as of October 2024; remains unpatched).
- **Configurations**: Applications using EdDSA for signature verification or ECDSA with curves where the hash length exceeds the order $n$ (e.g., secp192r1 with SHA-256).
## Vulnerability Description
1. **CVE-2024-48949 (EdDSA Malleability)**: The library failed to perform an out-of-bounds check on the integer $s$ of a signature. Per NIST FIPS 186-5, $s$ must be in the range $0 \le s < L$ (where $L$ is the order of the base point). Because the library omitted this modular reduction check, multiple valid signatures could be created for the same message (signature malleability).
2. **CVE-2024-48948 (ECDSA Verification Failure)**: A logic error in `_truncateToN` occurs when the hashed message contains leading zeros. The library uses `new BN(msg, 16)`, which strips leading zeros, making the message appear shorter than its actual byte length. This causes an incorrect bit-shift calculation (delta), leading to an improperly truncated hash and subsequent failure to verify valid signatures.
## Exploitation
- **Status**: PoC available (developed by Trail of Bits); CVE-2024-48948 independently discovered by Daniel Bleichenbacher.
- **Complexity**: Medium
- **Attack Vector**: Network (if the application verifies external signatures).
## Impact
- **Confidentiality**: None
- **Integrity**: High. CVE-2024-48949 allows for signature malleability, which can lead to replay attacks or double-spending in blockchain/consensus environments.
- **Availability**: Low. CVE-2024-48948 causes legitimate signatures to be rejected (denial of service for specific valid inputs with a probability of $2^{-32}$).
## Remediation
### Patches
- **CVE-2024-48949**: Fixed in July 2024. Users should update to the latest version of `elliptic`. Commit: `7ac5360118f74eb02da73bdf9f24fd0c72ff5281`.
- **CVE-2024-48948**: **No official patch available** as of the disclosure date. The 90-day disclosure window expired in October 2024.
### Workarounds
- For CVE-2024-48948, developers can manually ensure hashes are padded to the expected length before passing them to the `verify` function or implement the suggested fix of passing an explicit `msgSize` to `_truncateToN`.
## Detection
- **Indicators of Compromise**: Successive signature verification failures for validly formed EdDSA signatures or intermittent failures in ECDSA systems using small curves (like secp192r1).
- **Detection methods**: Integration of the **Wycheproof** testing suite into CI/CD pipelines to catch non-compliant cryptographic implementations.
## References
- Trail of Bits Advisory: [https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/](https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/)
- Elliptic GitHub Issue #321: [https://github.com/indutny/elliptic/issues/321](https://github.com/indutny/elliptic/issues/321)
- Wycheproof Tool: [https://github.com/C2SP/wycheproof](https://github.com/C2SP/wycheproof)