SB2026030609 - Use of a Cryptographic Primitive with a Risky Implementation in Elliptic package
Published: March 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use of a Cryptographic Primitive with a Risky Implementation (CVE-ID: CVE-2025-14505)
The vulnerability allows a remote attacker to gain access to secret key.
The vulnerability exists due to ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. A remote attacker can under certain conditions derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs
Remediation
Install update from vendor's website.