Intel

AIKIDO-2026-830390

starkbank/ecdsa is vulnerable to Signature Malleability

Signature Malleability Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

31

Low Risk

This Affects:

PHPstarkbank/ecdsa
2.0.0 - 2.1.0
Fixed in 2.2.0
Are you affected? Scan for Free

TL;DR

The pure-PHP ECDSA implementation in src/ecdsa.php signs messages without normalizing the result to the low-S form, so sign can emit high-S signatures and verify accepts both a signature and its N - s counterpart as valid for the same message and key. A party that observes one valid signature can therefore derive a second, distinct signature that still verifies, producing signature malleability that can break systems relying on signature uniqueness. The same code also omits an on-curve check for the supplied public key during verification and derives signing nonces from a plain random source instead of a hedged RFC 6979 construction. The fix normalizes signatures to low-S, rejects public keys that are not on the curve, adopts hedged RFC 6979 nonces, and corrects hash truncation for digests larger than the curve order.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

starkbank/ecdsa is vulnerable to Signature Malleability in versions 2.0.0 - 2.1.0.

How to fix this

Upgrade the starkbank/ecdsa library to the patch version.