diff --git a/CHANGELOG.md b/CHANGELOG.md
index 31fde543..d8d7fabb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@ and this project adheres to
 
 - @cosmjs/cosmwasm-stargate: Fix `ContractCodeHistory` decoding when msg
   contains non-printable ASCII ([#1320]).
+- @cosmjs/crypto: Bump elliptic version to ^6.5.4 due to
+  [CVE-2020-28498](https://github.com/advisories/GHSA-r9p9-mrjm-926w).
 
 [#1320]: https://github.com/cosmos/cosmjs/pull/1320
 
diff --git a/packages/crypto/package.json b/packages/crypto/package.json
index 1ac84293..f8fa090e 100644
--- a/packages/crypto/package.json
+++ b/packages/crypto/package.json
@@ -46,7 +46,7 @@
     "@cosmjs/utils": "workspace:^",
     "@noble/hashes": "^1",
     "bn.js": "^5.2.0",
-    "elliptic": "^6.5.3",
+    "elliptic": "^6.5.4",
     "libsodium-wrappers": "^0.7.6"
   },
   "devDependencies": {
diff --git a/yarn.lock b/yarn.lock
index 204c3bff..6901f6c7 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -462,7 +462,7 @@ __metadata:
     "@typescript-eslint/parser": ^5.13.0
     bn.js: ^5.2.0
     buffer: ^6.0.3
-    elliptic: ^6.5.3
+    elliptic: ^6.5.4
     eslint: ^7.5
     eslint-config-prettier: ^8.3.0
     eslint-import-resolver-node: ^0.3.4
@@ -3153,7 +3153,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"elliptic@npm:^6.5.3":
+"elliptic@npm:^6.5.4":
   version: 6.5.4
   resolution: "elliptic@npm:6.5.4"
   dependencies: