#VU123597 Use of a Cryptographic Primitive with a Risky Implementation in elliptic - CVE-2025-14505
Published: March 6, 2026
Vulnerability identifier: #VU123597
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-14505
CWE-ID: CWE-1240
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
elliptic
elliptic
Software vendor:
indutny
indutny
Description
The vulnerability allows a remote attacker to gain access to secret key.
The vulnerability exists due to ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. A remote attacker can under certain conditions derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs
Remediation
Install updates from vendor's website.