Kyle Den Hartog

Name of the Vulnerable Software and Affected Versions: elliptic versions prior to 6.5.4 Description: The issue is related to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the `derive` function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed. Recommendations: For versions prior to 6.5.4, update to version 6.5.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `derive` function in elliptic/ec/key.js until a patch is available. Restrict access to the secp256k1 implementation to minimize the risk of exploitation. Avoid using the `derive` function with unverified public key points until the issue is resolved.