How severe is CVE-2024-48930?

This vulnerability has a severity rating of HIGH with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2024-48930?

This is classified as CWE-354, which is a common weakness in software security.

CVE-2024-48930 - HIGH Severity | CVSS N/A

Vulnerability Description

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, `loadCompressedPublicKey` is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. `publicKeyVerify()` incorrectly returning `true` on those invalid keys, and e.g. `publicKeyTweakMul()` also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.

Related Vulnerabilities

CVE-2017-15994

CRITICAL

CVSS:9.8(Critical)

rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has signif...

CWE-3542017

CVE-2023-28386

CRITICAL

CVSS:9.8(Critical)

Snap One OvrC Pro devices versions 7.2 and prior do not validate firmware updates correctly. The device only calculates the MD5 hash of the firmware and does not check using a private-public key mecha...

CWE-3542023

CVE-2023-33668

CRITICAL

CVSS:9.8(Critical)

DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover accounts on shared computers.

CWE-3542023

CVE-2025-24148

CRITICAL

CVSS:9.8(Critical)

This issue was addressed with improved handling of executable types. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. A malicious JAR file may bypass Gatekeeper ch...

CWE-3542025

CVE-2022-29898

CRITICAL

CVSS:9.1(Critical)

On various RAD-ISM-900-EN-* devices by PHOENIX CONTACT an admin user could use the configuration file uploader in the WebUI to execute arbitrary code with root privileges on the OS due to an improper ...

CWE-3542022

CVE-2024-3596

CRITICAL

CVSS:9.0(Critical)

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a...

CWE-3542024