CVE-2020-1026

CRITICAL

MSR JavaScript Cryptography Library - Info Disclosure

Title source: llm

Description

A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the libraryâ€™s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a serverâ€™s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka 'MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability'.

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026

Scores

CVSS v3 9.8

EPSS 0.0254

EPSS Percentile 82.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-200 CWE-347

Status published

Products (2)

microsoft/research_javascript_cryptography_library 1.4

npm/msrcrypto 0 - 1.5.8npm

Published Apr 15, 2020

Tracked Since Feb 18, 2026