The Elliptic package before version 6.5.3 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.
{ "nvd_published_at": "2020-06-04T15:15:13Z", "cwe_ids": [ "CWE-190" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-07-29T20:39:31Z" }