Security Vulnerability Report
中文
CVE-2025-14505 CVSS 5.6 MEDIUM

CVE-2025-14505

Published: 2026-01-08 21:15:42
Last Modified: 2026-04-15 00:35:42
Source: 36c7be3b-2937-45df-85ea-ca7133ea542c

Description

The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs. This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).

CVSS Details

CVSS Score
5.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

elliptic <= 6.6.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-14505 PoC - ECDSA k value computation error const elliptic = require('elliptic'); const secp256k1 = new elliptic.ec('secp256k1'); // Generate key pair const keyPair = secp256k1.genKeyPair(); const privateKey = keyPair.getPrivate('hex'); console.log('Private Key:', privateKey); // Message to sign const message = 'Test message for CVE-2025-14505'; const messageHash = elliptic.utils.sha256(message); // Generate multiple signatures to trigger the bug // The bug occurs when k has leading zeros console.log('\nAttempting to sign the same message multiple times...'); const signatures = []; for (let i = 0; i < 10; i++) { try { const sig = keyPair.sign(messageHash, { pers: 'additional_entropy_' + i }); const sigHex = sig.toDER('hex'); const isValid = keyPair.verify(messageHash, sig); signatures.push({ index: i, valid: isValid, sig: sigHex }); console.log(`Signature ${i}: valid=${isValid}, length=${sigHex.length}`); // If signature is invalid, k computation may have failed if (!isValid) { console.log('INVALID SIGNATURE DETECTED - Possible CVE-2025-14505 trigger'); } } catch (e) { console.log(`Signature ${i}: ERROR - ${e.message}`); } } // Check for signature inconsistencies that could leak private key console.log('\nAnalyzing signatures for k value leakage...'); console.log('If multiple valid signatures exist for same message, private key may be at risk'); // Verification console.log('\nVerifying affected versions: Elliptic <= 6.6.1'); console.log('Recommended action: Upgrade to latest version of elliptic package');

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14505", "sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c", "published": "2026-01-08T21:15:42.023", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.\n\nThis issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1)."}, {"lang": "es", "value": "La implementación de ECDSA del paquete Elliptic genera firmas incorrectas si un valor intermedio de 'k' (calculado según el paso 3.2 de RFC 6979 HTTPS://datatracker.ietf.org/doc/html/rfc6979 ) tiene ceros iniciales y es susceptible a criptoanálisis, lo que puede llevar a la exposición de la clave secreta. Esto ocurre porque la longitud en bytes de 'k' se calcula incorrectamente, lo que resulta en su truncamiento durante el cálculo. Las transacciones o comunicaciones legítimas se romperán como resultado. Además, debido a la naturaleza del fallo, los atacantes podrían –bajo ciertas condiciones– derivar la clave secreta, si pudieran obtener tanto una firma defectuosa generada por una versión vulnerable de Elliptic como una firma correcta para las mismas entradas.\n\nEste problema afecta a todas las versiones conocidas de Elliptic (en el momento de escribir esto, versiones menores o iguales a 6.6.1)."}], "metrics": {"cvssMetricV31": [{"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 3.4}]}, "weaknesses": [{"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1240"}]}], "references": [{"url": "https://github.com/indutny/elliptic/issues/321", "source": "36c7be3b-2937-45df-85ea-ca7133ea542c"}, {"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-14505", "source": "36c7be3b-2937-45df-85ea-ca7133ea542c"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.