AIKIDO-2026-10557
starkbank-ecdsa is vulnerable to Improper Verification of Cryptographic Signature
60
Medium Risk
This Affects:
starkbank-ecdsaTL;DR
The Ecdsa.verify method compares the signature r value to the x coordinate of the point produced by the verification combination step without first rejecting the point at infinity, so some degenerate results can be handled incorrectly. The curve membership helper contains and public key materialization from coordinates also allowed coordinates outside the field range and did not treat infinity or subgroup membership the same way as the hardened implementation. The update adds an explicit infinity check before comparison, coordinate range checks in contains, and stricter PublicKey import checks so invalid points and the point at infinity are not accepted when verifying or loading keys.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
starkbank-ecdsa is vulnerable to Improper Verification of Cryptographic Signature in versions 0.0.1 - 1.3.2.
How to fix this
Upgrade the starkbank-ecdsa library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant