Dependency elliptic affected by CVE-2025-14505 (ECDSA signature vulnerability)

## Summary

The **elliptic** package (a dependency of crypto-browserify) is affected by CVE-2025-14505, causing incorrect ECDSA
signatures and potential private key exposure.

## Details

- **CVE:** [CVE-2025-14505](https://nvd.nist.gov/vuln/detail/CVE-2025-14505)
- **GHSA:** [GHSA-848j-6mx2-7j84](https://github.com/advisories/GHSA-848j-6mx2-7j84)
- **Affected:** elliptic ≤ 6.6.1 (all versions)
- **Upstream issue:** [indutny/elliptic#344](https://github.com/indutny/elliptic/issues/344)

## Impact

Incorrect signature generation when nonce **k** has leading zeros, potentially allowing private key recovery if attackers
obtain both faulty and correct signatures.

## Status

No patch is available yet. Tracking this issue to update the dependency once elliptic releases a fix.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Dependency elliptic affected by CVE-2025-14505 (ECDSA signature vulnerability) #255

Summary

Details

Impact

Status

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Dependency elliptic affected by CVE-2025-14505 (ECDSA signature vulnerability) #255

Description

Summary

Details

Impact

Status

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions