The following vulnerabilities were published for node-elliptic.
CVE-2024-42459[0]:
| In the Elliptic package 6.5.6 for Node.js, EDDSA signature
| malleability occurs because there is a missing signature length
| check, and thus zero-valued bytes can be removed or appended.
CVE-2024-42460[1]:
| In the Elliptic package 6.5.6 for Node.js, ECDSA signature
| malleability occurs because there is a missing check for whether the
| leading bit of r and s is zero.
CVE-2024-42461[2]:
| In the Elliptic package 6.5.6 for Node.js, ECDSA signature
| malleability occurs because BER-encoded signatures are allowed.