CVE-2024-42459: 
JavaScript vulnerability analysis and mitigation

In the Elliptic package version 6.5.6 for Node.js, a vulnerability was discovered related to EDDSA signature malleability. The issue arises from a missing signature length check, which allows zero-valued bytes to be either removed or appended to signatures (NVD, Ubuntu).

The vulnerability stems from insufficient validation during the signature verification process. Specifically, the absence of proper length checks in the EDDSA signature implementation allows for signature manipulation by either removing or adding zero-valued bytes. The issue has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability has been classified under CWE-347 (Improper Verification of Cryptographic Signature) (NVD).

The vulnerability could potentially allow attackers to manipulate signatures by adding or removing zero-valued bytes, potentially leading to signature malleability issues. This could affect the integrity of cryptographic operations relying on the Elliptic package's EDDSA implementation (GitHub PR).

The issue has been fixed in a pull request that implements proper signature length validation. The fix includes additional checks during the decoding stage of both ECDSA and EDDSA signatures. Users are advised to upgrade to the latest version of the Elliptic package that includes these security fixes (GitHub PR).

The security community has actively engaged with this vulnerability, as evidenced by the GitHub pull request discussion. Multiple security researchers and developers have acknowledged the importance of this fix, and the pull request received significant attention with multiple approvals and positive reactions from the community (GitHub PR).