Vulnerable Library -elliptic-6.6.1.tgz

EC cryptography

Library home page:https://registry.npmjs.org/elliptic/-/elliptic-6.6.1.tgz

Path to dependency file: /ui/package.json

Path to vulnerable library: /ui/package.json

Dependency Hierarchy:

• @postgres.ai/ce-4.0.3.tgz (Root Library)
  • crypto-browserify-3.12.0.tgz
    • browserify-sign-4.2.3.tgz
      • ❌elliptic-6.6.1.tgz (Vulnerable Library)

Found in base branch:master

Vulnerability Details

The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.
This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).

Publish Date: 2026-01-08

URL:CVE-2025-14505

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low