GHSA-9wx7-jrvc-28mm: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-9wx7-jrvc-28mm) affects Stark Bank ECDSA libraries across multiple platforms including Java (com.starkbank:ecdsa-java v1.0.0), Python (starkbank-ecdsa < 2.0.1), .NET (starkbank-ecdsa v1.3.1), and Node.js (starkbank-ecdsa v1.1.2). The high-severity vulnerability was discovered and disclosed on November 8, 2021, allowing attackers to forge signatures on arbitrary messages that would verify for any public key (GitHub Advisory).

The vulnerability stems from missing signature validation checks in the ECDSA implementation. Specifically, the libraries failed to verify that signature components (r and s) were within the valid range of 1 to N-1, where N is the order of the curve. This oversight was addressed by adding range checks for signature.r and signature.s values (ECDSA Python).

The vulnerability could allow attackers to authenticate as any user within the Stark Bank platform and bypass signature verification needed to perform critical operations such as sending payments and transferring funds. Additionally, other projects using these libraries could be impacted in various unforeseen ways due to the ability to forge signatures (GitHub Advisory).

The vulnerability has been patched in updated versions of the libraries: Java (v1.0.1), Python (v2.0.1), .NET (v1.3.2), and Node.js (v1.1.3). Users should upgrade to these patched versions to prevent signature forgery attacks (GitHub Advisory).