Improper Verification of Cryptographic Signature (CVE-2024-48948)

[avembankottu]

https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303

[bora-yuksel-1]

+1 to this, seems like a PR is already open for this issue: #322

[un4ckn0wl3z]

+1

[avembankottu]

any idea when will it get merged ?

[LordOfCinder2000]

+1

[paulmillr]

1. This is not CVE: just a bug.
2. Maintainer is currently focused on other important things, so it's unclear when it would be fixed.
3. Switch to newer package noble-curves instead.

[jcheung-xmatters]

+1
Unfortunately it's not as simple as "switch to another package", as this library is a dependency 4 levels down in my project.

[chadlwilson]

Fixed in 6.6.0 via #326 - you can close this issue now.

[avembankottu]

Snyk complaining that the vuln still exist in 6.6.0 via #326 @chadlwilson

[chadlwilson]

Then you should contact Snyk to ask them to re-assess and update the fixed version. An OSS project with volunteer contributors does not control proprietary security tool databases - there's no point complaining about that here.