プラットフォーム
nodejs
コンポーネント
elliptic
修正版
6.6.2
6.6.2
CVE-2025-14505 affects the elliptic package, a Node.js library used for elliptic curve cryptography. This vulnerability stems from an incorrect calculation of the 'k' value during ECDSA signature generation, potentially leading to secret key exposure. Versions of elliptic up to and including 6.6.1 are vulnerable, and a fix is available in version 6.6.2.
The core of the vulnerability lies in the ECDSA (Elliptic Curve Digital Signature Algorithm) implementation within the elliptic package. Specifically, the calculation of the intermediate value 'k' is flawed. RFC 6979 outlines a specific process for this calculation, and the elliptic package incorrectly truncates 'k' when it has leading zeros. This truncation allows an attacker, under certain conditions, to derive the private key used to generate the signatures. Successful key derivation would allow an attacker to forge signatures, impersonate users, and potentially compromise the entire system relying on these signatures. The impact is particularly severe in applications using elliptic for authentication or secure transactions.
CVE-2025-14505 was publicly disclosed on 2026-01-08. The vulnerability's impact is significant due to the potential for secret key derivation. Currently, there are no known public exploits or active campaigns targeting this vulnerability. Its inclusion in the KEV catalog is pending evaluation. The vulnerability's complexity suggests exploitation may require specialized knowledge of elliptic curve cryptography.
Applications and services built on Node.js that rely on the elliptic package for cryptographic operations are at risk. This includes systems performing authentication, digital signatures, or secure communication using ECDSA. Projects using older versions of Node.js or those with complex dependency chains are particularly vulnerable.
• nodejs: Use npm list elliptic to identify vulnerable versions. Check package.json for dependencies on elliptic versions <= 6.6.1.
npm list elliptic• nodejs: Examine application logs for errors related to signature verification or ECDSA operations. Look for unusual patterns or failures in signature validation. • generic web: Monitor for unexpected or unauthorized access attempts, which could indicate a compromised key. • generic web: Review code for any direct usage of the elliptic package and ensure proper signature validation routines are in place.
disclosure
エクスプロイト状況
EPSS
0.01% (1% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-14505 is to upgrade the elliptic package to version 6.6.2 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on signatures received from systems using vulnerable versions of elliptic. While not a complete solution, this can help detect and reject potentially forged signatures. Monitor network traffic for unusual signature patterns. There are no specific WAF rules or Sigma/YARA patterns readily available for this vulnerability, as it's a cryptographic flaw rather than a direct exploit.
Actualice la biblioteca Elliptic a una versión posterior a 6.6.1, donde se ha corregido la vulnerabilidad. Esto se puede hacer mediante el administrador de paquetes npm ejecutando `npm install elliptic@latest`. Asegúrese de probar la aplicación después de la actualización para verificar que no haya problemas de compatibilidad.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-14505 is a vulnerability in the elliptic Node.js package where incorrect 'k' value calculations during ECDSA signature generation can lead to secret key exposure, affecting versions up to 6.6.1.
You are affected if your Node.js project uses the elliptic package version 6.6.1 or earlier. Check your package.json file to determine your elliptic version.
Upgrade the elliptic package to version 6.6.2 or later using npm install [email protected] or your preferred package manager.
As of now, there are no confirmed reports of active exploitation, but the potential for secret key derivation makes it a serious concern.
Refer to the elliptic project's repository and related security advisories for the most up-to-date information: [https://github.com/elliptic/elliptic](https://github.com/elliptic/elliptic)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。