Trail of Bits Discloses Vulnerabilities in Elliptic JavaScript Library

Today, Trail of Bits, a well-respected security research and auditing firm, has published a blog post outlining two vulnerabilities in elliptic, a widely used JavaScript cryptographic library.

The library has reportedly been downloaded over 10 million times and is used in almost 3,000 projects.

One vulnerability, CVE-2024-48949, was promptly fixed by the maintainers on the same day Trail of Bits put forth their proposed patch.

The other one, CVE-2024-48948, received no response when Trail of Bits tried to reach out. After 90 days, the vulnerability was made public in October 2024. As of the posting of the article, the vulnerability still wasn't fixed.

The vulnerabilities were discovered using Wycheproof, a repository of test vectors for testing attacks against cryptographic libraries and finding other implementation bugs and inconsistencies.

This situation highlights the importance of a quick response from software developers to vulnerabilities reported to them. If they aren't addressed quickly, or in this case apparently ignored entirely, millions of people could be left vulnerable.

These vulnerabilities serve as an example of why continuous testing is crucial for ensuring the security and correctness of widely used cryptographic tools. In particular, Wycheproof and other actively maintained sets of cryptographic test vectors are excellent tools for ensuring high-quality cryptography libraries. We recommend including these test vectors (and any other relevant ones) in your CI/CD pipeline so that they are rerun whenever a code change is made. This will ensure that your library is resilient against these specific cryptographic issues both now and in the future.