CVE-2025-14505 (GCVE-0-2025-14505)
Vulnerability from cvelistv5 – Published: 2026-01-08 21:05 – Updated: 2026-01-08 21:22 X_Open Source
VLAI
Title
Elliptic Cryptanalysis vulnerability when `k` has leading zeros
Summary
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.
This issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).
Severity
5.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1240 - Use of a Cryptographic Primitive with a Risky Implementation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://github.com/indutny/elliptic/issues/321 | issue-trackingexploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T21:22:47.447055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T21:22:55.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://registry.npmjs.org",
"defaultStatus": "unknown",
"packageName": "elliptic",
"product": "Elliptic",
"repo": "https://github.com/indutny/elliptic",
"vendor": "N/A",
"versions": [
{
"status": "affected",
"version": "\u003c=6.6.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Bleichenbacher"
},
{
"lang": "en",
"type": "analyst",
"value": "Subheader (https://github.com/Subheader)"
},
{
"lang": "en",
"type": "analyst",
"value": "George Kalpakas from HeroDevs"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eThe ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of \u0027\u003ctt\u003ek\u003c/tt\u003e\u0027 (as computed based on step 3.2 of \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://datatracker.ietf.org/doc/html/rfc6979\"\u003eRFC 6979\u003c/a\u003e) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of \u0027\u003ctt\u003ek\u003c/tt\u003e\u0027 is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFurthermore, due to the nature of the fault, attackers could\u2013under certain conditions\u2013derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of \u0027k\u0027 (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of \u0027k\u0027 is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result.\u00a0Furthermore, due to the nature of the fault, attackers could\u2013under certain conditions\u2013derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.\n\nThis issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1)."
}
],
"impacts": [
{
"capecId": "CAPEC-97",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-97 Cryptanalysis"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1240",
"description": "CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T21:05:14.800Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-14505"
},
{
"tags": [
"issue-tracking",
"exploit"
],
"url": "https://github.com/indutny/elliptic/issues/321"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Elliptic Cryptanalysis vulnerability when `k` has leading zeros",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2025-14505",
"datePublished": "2026-01-08T21:05:14.800Z",
"dateReserved": "2025-12-10T22:37:46.175Z",
"dateUpdated": "2026-01-08T21:22:55.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-14505",
"date": "2026-06-28",
"epss": "0.00161",
"percentile": "0.05692"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-14505\",\"sourceIdentifier\":\"36c7be3b-2937-45df-85ea-ca7133ea542c\",\"published\":\"2026-01-08T21:15:42.023\",\"lastModified\":\"2026-06-17T08:36:02.050\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of \u0027k\u0027 (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of \u0027k\u0027 is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result.\u00a0Furthermore, due to the nature of the fault, attackers could\u2013under certain conditions\u2013derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.\\n\\nThis issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).\"},{\"lang\":\"es\",\"value\":\"La implementaci\u00f3n de ECDSA del paquete Elliptic genera firmas incorrectas si un valor intermedio de \u0027k\u0027 (calculado seg\u00fan el paso 3.2 de RFC 6979 HTTPS://datatracker.ietf.org/doc/html/rfc6979 ) tiene ceros iniciales y es susceptible a criptoan\u00e1lisis, lo que puede llevar a la exposici\u00f3n de la clave secreta. Esto ocurre porque la longitud en bytes de \u0027k\u0027 se calcula incorrectamente, lo que resulta en su truncamiento durante el c\u00e1lculo. Las transacciones o comunicaciones leg\u00edtimas se romper\u00e1n como resultado. Adem\u00e1s, debido a la naturaleza del fallo, los atacantes podr\u00edan \u2013bajo ciertas condiciones\u2013 derivar la clave secreta, si pudieran obtener tanto una firma defectuosa generada por una versi\u00f3n vulnerable de Elliptic como una firma correcta para las mismas entradas.\\n\\nEste problema afecta a todas las versiones conocidas de Elliptic (en el momento de escribir esto, versiones menores o iguales a 6.6.1).\"}],\"affected\":[{\"source\":\"36c7be3b-2937-45df-85ea-ca7133ea542c\",\"affectedData\":[{\"vendor\":\"N/A\",\"product\":\"Elliptic\",\"defaultStatus\":\"unknown\",\"collectionURL\":\"https://registry.npmjs.org\",\"packageName\":\"elliptic\",\"repo\":\"https://github.com/indutny/elliptic\",\"versions\":[{\"version\":\"\u003c=6.6.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"36c7be3b-2937-45df-85ea-ca7133ea542c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":3.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-08T21:22:47.447055Z\",\"id\":\"CVE-2025-14505\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"36c7be3b-2937-45df-85ea-ca7133ea542c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1240\"}]}],\"references\":[{\"url\":\"https://github.com/indutny/elliptic/issues/321\",\"source\":\"36c7be3b-2937-45df-85ea-ca7133ea542c\"},{\"url\":\"https://www.herodevs.com/vulnerability-directory/cve-2025-14505\",\"source\":\"36c7be3b-2937-45df-85ea-ca7133ea542c\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-14505\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-08T21:22:47.447055Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-08T21:22:52.267Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"Elliptic Cryptanalysis vulnerability when `k` has leading zeros\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Daniel Bleichenbacher\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Subheader (https://github.com/Subheader)\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"George Kalpakas from HeroDevs\"}], \"impacts\": [{\"capecId\": \"CAPEC-97\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-97 Cryptanalysis\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/indutny/elliptic\", \"vendor\": \"N/A\", \"product\": \"Elliptic\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c=6.6.1\", \"versionType\": \"semver\"}], \"packageName\": \"elliptic\", \"collectionURL\": \"https://registry.npmjs.org\", \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://www.herodevs.com/vulnerability-directory/cve-2025-14505\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/indutny/elliptic/issues/321\", \"tags\": [\"issue-tracking\", \"exploit\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of \u0027k\u0027 (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of \u0027k\u0027 is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result.\\u00a0Furthermore, due to the nature of the fault, attackers could\\u2013under certain conditions\\u2013derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.\\n\\nThis issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: transparent;\\\"\u003eThe ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of \u0027\u003ctt\u003ek\u003c/tt\u003e\u0027 (as computed based on step 3.2 of \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://datatracker.ietf.org/doc/html/rfc6979\\\"\u003eRFC 6979\u003c/a\u003e) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of \u0027\u003ctt\u003ek\u003c/tt\u003e\u0027 is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result.\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eFurthermore, due to the nature of the fault, attackers could\\u2013under certain conditions\\u2013derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThis issue affects all known versions of Elliptic (at the time of writing, versions less than or equal to 6.6.1).\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1240\", \"description\": \"CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation\"}]}], \"providerMetadata\": {\"orgId\": \"36c7be3b-2937-45df-85ea-ca7133ea542c\", \"shortName\": \"HeroDevs\", \"dateUpdated\": \"2026-01-08T21:05:14.800Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-14505\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-08T21:22:55.144Z\", \"dateReserved\": \"2025-12-10T22:37:46.175Z\", \"assignerOrgId\": \"36c7be3b-2937-45df-85ea-ca7133ea542c\", \"datePublished\": \"2026-01-08T21:05:14.800Z\", \"assignerShortName\": \"HeroDevs\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…