Platform
nodejs
Component
elliptic
Fixed in
6.6.2
6.6.2
CVE-2025-14505 affects the elliptic package, a Node.js library used for elliptic curve cryptography. This vulnerability stems from an incorrect calculation of the 'k' value during ECDSA signature generation, potentially leading to secret key exposure. Versions of elliptic up to and including 6.6.1 are vulnerable, and a fix is available in version 6.6.2.
The core of the vulnerability lies in the ECDSA (Elliptic Curve Digital Signature Algorithm) implementation within the elliptic package. Specifically, the calculation of the intermediate value 'k' is flawed. RFC 6979 outlines a specific process for this calculation, and the elliptic package incorrectly truncates 'k' when it has leading zeros. This truncation allows an attacker, under certain conditions, to derive the private key used to generate the signatures. Successful key derivation would allow an attacker to forge signatures, impersonate users, and potentially compromise the entire system relying on these signatures. The impact is particularly severe in applications using elliptic for authentication or secure transactions.
CVE-2025-14505 was publicly disclosed on 2026-01-08. The vulnerability's impact is significant due to the potential for secret key derivation. Currently, there are no known public exploits or active campaigns targeting this vulnerability. Its inclusion in the KEV catalog is pending evaluation. The vulnerability's complexity suggests exploitation may require specialized knowledge of elliptic curve cryptography.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14505 is to upgrade the elliptic package to version 6.6.2 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on signatures received from systems using vulnerable versions of elliptic. While not a complete solution, this can help detect and reject potentially forged signatures. Monitor network traffic for unusual signature patterns. There are no specific WAF rules or Sigma/YARA patterns readily available for this vulnerability, as it's a cryptographic flaw rather than a direct exploit.
Update the Elliptic library to a version later than 6.6.1, where the vulnerability has been corrected. This can be done using the npm package manager by running `npm install elliptic@latest`. Ensure you test the application after the update to verify there are no compatibility issues.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14505 is a vulnerability in the elliptic Node.js package where incorrect 'k' value calculations during ECDSA signature generation can lead to secret key exposure, affecting versions up to 6.6.1.
You are affected if your Node.js project uses the elliptic package version 6.6.1 or earlier. Check your package.json file to determine your elliptic version.
Upgrade the elliptic package to version 6.6.2 or later using npm install [email protected] or your preferred package manager.
As of now, there are no confirmed reports of active exploitation, but the potential for secret key derivation makes it a serious concern.
Refer to the elliptic project's repository and related security advisories for the most up-to-date information: [https://github.com/elliptic/elliptic](https://github.com/elliptic/elliptic)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.