CVE-2024-48930

Name of the Vulnerable Software and Affected Versions secp256k1-node versions prior to 5.0.1 secp256k1-node versions prior to 4.0.4 secp256k1-node versions prior to 3.8.1

Description The issue affects the elliptic-based version of secp256k1-node, where the loadCompressedPublicKey function is missing a check to ensure the public key is on the curve. This allows an attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including publicKeyVerify() incorrectly returning true on those invalid keys, and publicKeyTweakMul() also returning predictable outcomes allowing to restore the tweak.

Recommendations For versions prior to 5.0.1, update to version 5.0.1 or later. For versions prior to 4.0.4, update to version 4.0.4 or later. For versions prior to 3.8.1, update to version 3.8.1 or later. As a temporary workaround, consider disabling the loadCompressedPublicKey function until a patch is available. Restrict access to the publicKeyVerify() and publicKeyTweakMul() functions to minimize the risk of exploitation. Avoid using the publicKeyTweakMul() function with untrusted public keys until the issue is resolved.