Security concern – Crypto-browserify dependency on vulnerable elliptic package

[vkb-stack]

Hi Team,

I’d like to report a security concern regarding crypto-browserify. The package currently depends on elliptic, which has a known critical vulnerability in its elliptic curve cryptography implementation.

Affected dependency: elliptic

Package: elliptic

Severity: Critical

Impact: Potential compromise of cryptographic strength

Details:GHSA-6p4c-r453-8743: PuTTY

Could you please review this dependency and update it to a secure version or recommend a mitigation path?

Thank you for maintaining this project and your support in addressing this issue.

[ljharb]

I think you linked to the wrong GHSA - that's about putty, not this package.

[vkb-stack]

crypto-browserify has transitive dependency on elliptic@6.6.0 ..the below dependency is using elliptic
1.browserify-sign
2.create-ecdh

As there there is no elliptic version without high vulnerablity. Can you please suggest how should we mitigate this issue..Will there be any updated crypto-browserify version which doesn't have dependency on elliptic.?
Thanks for all your support

[ljharb]

Only if elliptic publishes a fix in a non-major update, or if an alternative package with the same engine support exists (I'm not aware of any).

If you can link to the proper GHSA or CVE, then I can probably suggest alternative mitigations.

[timsmithgenesys]

@ljharb I believe this is the relevant CVE https://www.cve.org/CVERecord?id=CVE-2024-48948

We're facing this issue as reported by Snyk: https://security.snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303

• Introduced through: crypto-browserify@3.12.1 › browserify-sign@4.2.3 › elliptic@6.6.1
• Introduced through: crypto-browserify@3.12.1 › create-ecdh@4.0.4 › elliptic@6.6.1

[ljharb]

Thanks! I'll look into it.

[fstani]

Hi @ljharb I see that one dependency that also has a listed vulnerability as a transitive dependency was recently updated by you recently, maybe we can have a new build of this package as well targeting the new version?

https://github.com/browserify/browserify-sign

I also noticed there's a dep on this other one:
https://github.com/browserify/browserify-cipher

Which could maybe use an update as well?
https://www.npmjs.com/package/browserify-aes

|-- browserify-aes@1.2.0
|-- cipher-base@1.0.4 https://www.cvedetails.com/cve/CVE-2025-9287
|-- create-hash@1.2.0
|-- sha.js@2.4.11 https://www.cvedetails.com/cve/CVE-2025-9288

[fstani]

I can make some PRs in the other projects as well to help with these lib updates, and link them here if you want

[ljharb]

the problem with all of them is that there does not exist a replacement for elliptic that both fixes the vulnerability and supports the same environments we do.

[fstani]

Seems like elliptic@6.6.1 solves the issue, maybe we can upgrade it?

[fstani]

@ljharb I've made a PR to the project that is linking to elliptic

browserify/createECDH#25

I think I've still missing the other ones, we are solving with transient deps but would be great to also have a quick bump here

[ljharb]

From that linked PR, here's my comment:

There's no need for it at all - the fixed versions are all in-range. You just need to update your lockfiles.

In other words, when the fixed versions are in-range, it is on you alone, and not on any maintainer, to make the change.