Name of the Vulnerable Software and Affected Versions: elliptic (affected versions not specified)

Description: The issue allows for private key extraction from ECDSA signatures when signing a malformed input, such as a string or a number, which could come from JSON network input. This is possible because the elliptic library accepts hex strings as one of the possible input types. The vulnerability can be exploited by constructing a malicious message that can be signed, leading to the reuse of the k value and ultimately allowing for private key extraction. The attack requires only a single malicious message to be signed for full key extraction. The estimated number of potentially affected devices worldwide is not available.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.