CVE-2024-42460

Summary

CVE-2024-42460 is a vulnerability affecting the Elliptic package version 6.5.6 used in Node.js applications. The issue involves ECDSA signature malleability, which arises due to a missing check for whether the leading bit of r and s, cryptographic values used in the signature verification process, is zero. This allows an attacker to alter signatures, potentially leading to unauthorized access or data tampering. The missing check can enable attackers to generate new signatures that appear valid, posing a significant risk to applications using the vulnerable Elliptic package. Organizations using Node.js and the Elliptic package are advised to update to the latest version to mitigate this threat.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.