CVE-2024-42461: 
JavaScript vulnerability analysis and mitigation

In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed. The vulnerability was discovered and disclosed in August 2024, affecting the cryptographic signature verification functionality in the Elliptic library (NVD, Debian).

The vulnerability stems from improper validation of ECDSA signatures encoded in BER format, which allows leading zeros to be manipulated. The issue has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) by NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, while CISA-ADP assessed it at 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature) (NVD).

The vulnerability could allow attackers to manipulate ECDSA signatures by exploiting the BER-encoding validation weakness, potentially leading to signature malleability issues that could compromise the integrity of cryptographic operations (GitHub PR).

The vulnerability has been fixed in version 6.5.7 of the Elliptic package. Users are advised to upgrade to this version or later. The fix includes additional checks during the decoding stage of ECDSA signatures to prevent signature malleability (GitHub PR).

The security community has shown significant interest in this vulnerability, with multiple security researchers and developers actively discussing the fix on GitHub. The pull request addressing this issue received notable attention and was merged after thorough review by the maintainers (GitHub PR).