Skip to content

elliptic-6.6.1.tgz: 1 vulnerabilities (highest severity is: 5.6) #1894

New issue
New issue
Open
Open
elliptic-6.6.1.tgz: 1 vulnerabilities (highest severity is: 5.6)#1894
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Jan 9, 2026
Vulnerable Library - elliptic-6.6.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.6.1.tgz

Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json

Path to vulnerable library: /blockchain_integration/pi_network/PiSure/client/node_modules/elliptic/package.json,/blockchain_integration/pi_network/smartship/node_modules/elliptic/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-network-layer2-scaling/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/elliptic/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/elliptic/package.json,/blockchain_integration/pi_network/node_modules/elliptic/package.json,/blockchain_integration/pi_network/PiRide/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-browser/node_modules/elliptic/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/elliptic/package.json,/projects/oracle-nexus/node_modules/elliptic/package.json

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (elliptic version) Remediation Possible**
CVE-2025-14505 Medium 5.6 elliptic-6.6.1.tgz Direct N/A

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-14505

Vulnerable Library - elliptic-6.6.1.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.6.1.tgz

Path to dependency file: /blockchain_integration/pi_network/PiSure/client/package.json

Path to vulnerable library: /blockchain_integration/pi_network/PiSure/client/node_modules/elliptic/package.json,/blockchain_integration/pi_network/smartship/node_modules/elliptic/package.json,/blockchain_integration/pi_network/SpacePi/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-network-layer2-scaling/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-network-interoperability/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/PI-bank/node_modules/elliptic/package.json,/blockchain_integration/pi_network/PiSure/contracts/node_modules/elliptic/package.json,/blockchain_integration/pi_network/node_modules/elliptic/package.json,/blockchain_integration/pi_network/PiRide/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-browser-app/apps/AstralPlane/node_modules/elliptic/package.json,/blockchain_integration/pi_network/contracts/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-browser/node_modules/elliptic/package.json,/sidra_chain_integration/advanced-features/blockchain-based-identity-verification/backend/node_modules/elliptic/package.json,/blockchain_integration/pi_network/pi-browser-app/node_modules/elliptic/package.json,/projects/oracle-nexus/node_modules/elliptic/package.json

Dependency Hierarchy:

  • elliptic-6.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 011e5f9d5ce310049a1a68c19f7df65be4f88caf

Found in base branch: main

Vulnerability Details

The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.
This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).

Publish Date: 2026-01-08

URL: CVE-2025-14505

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions