GHSA-r9p9-mrjm-926w · Severity: medium · Ecosystem: npm — Elliptic Uses a Broken or Risky Cryptographic Algorithm
The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the derive function actually exists on the secp256k1 curve. This results in the potential for the private key used in this implementation to be revealed after a number of ECDH operations are performed.
Conclusion & alert: CVE-2020-28498 is rated Moderate Risk (47.4/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.24%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 3.94% | 1.24% | -2.69% |
| 2 | 2026-02-13 | 0.87% | 3.94% | +3.07% |
| 3 | 2026-02-08 | — | 0.87% | — |
Full EPSS history (21 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.8 | 3.1 | MEDIUM |
|
2.2 | 4.0 | [email protected] |
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
GHSA-r9p9-mrjm-926w · Severity: medium · Ecosystem: npm — Elliptic Uses a Broken or Risky Cryptographic Algorithm
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2020-28498 not yet assigned priority: Debian including 1 source packages (node-elliptic), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2020-28498 |
ubuntu
|
medium | CVE-2020-28498 medium priority: Ubuntu including 1 source packages (node-elliptic), 16 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 8, needs-triage 6, DNE 2. | https://ubuntu.com/security/CVE-2020-28498 |
| URL | Tags |
|---|---|
| https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md | Third Party Advisory |
| https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f | Patch Third Party Advisory |
| https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836 | Patch Third Party Advisory |
| https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899 | Patch Third Party Advisory |