Critical OpenPGP.js Vulnerability Allows Spoofing

Critical OpenPGP.js Vulnerability Allows Spoofing

Posted on By CWS

The builders of OpenPGP.js have launched updates to patch a important vulnerability that may be exploited to spoof message signature verification.

OpenPGP.js is an open supply JavaScript implementation of the OpenPGP e mail encryption library, enabling its use on any system. In line with its builders, “The thought is to implement all of the wanted OpenPGP performance in a JavaScript library that may be reused in different initiatives that present browser extensions or server purposes.”

Its web site reveals that OpenPGP.js is utilized by initiatives akin to FlowCrypt, Mymail-Crypt, UDC, Encrypt.to, PGP Wherever, and Passbolt.

Researchers Edoardo Geraci and Thomas Rinsma of Codean Labs found lately that OpenPGP.js is affected by a important vulnerability.

The flaw permits an attacker to spoof signature verification utilizing a specifically crafted message handed to the ‘openpgp.confirm’ or ‘openpgp.decrypt’ features, inflicting them to “return a sound signature verification outcome whereas returning information that was not really signed”.

“As a way to spoof a message, the attacker wants a single legitimate message signature (inline or indifferent) in addition to the plaintext information that was legitimately signed, and might then assemble an inline-signed message or signed-and-encrypted message with any information of the attacker’s selection, which is able to seem as legitimately signed by affected variations of OpenPGP.js,” the researchers defined.

“In different phrases, any inline-signed message will be modified to return some other information (whereas nonetheless indicating that the signature was legitimate), and the identical is true for signed+encrypted messages if the attacker can get hold of a sound signature and encrypt a brand new message (of the attacker’s selection) along with that signature,” they added.

Tracked as CVE-2025-47934, the difficulty impacts OpenPGP.js variations 5 and 6, and it has been patched with the discharge of variations 5.11.3 and 6.1.1. Workarounds are additionally obtainable.Commercial. Scroll to proceed studying.

Associated: Cisco Confirms Some Merchandise Impacted by Crucial Erlang/OTP Flaw

Associated: Vulnerabilities in MongoDB Library Permit RCE on Node.js Servers

Associated: Solana Web3.js Library Backdoored in Provide Chain Assault

Associated: Crucial Commvault Vulnerability in Attacker Crosshairs

Security Week News Tags:, , ,

Related Posts

Many Attacks Aimed at EU Targeted OT, Says Cybersecurity Agency Many Attacks Aimed at EU Targeted OT, Says Cybersecurity Agency Security Week News
Google Confirms Workspace Accounts Also Hit in Salesforce–Salesloft Drift Data Theft Campaign Google Confirms Workspace Accounts Also Hit in Salesforce–Salesloft Drift Data Theft Campaign Security Week News
Microsoft Patches 86 Vulnerabilities – SecurityWeek Microsoft Patches 86 Vulnerabilities – SecurityWeek Security Week News
1.5 Million Impacted by Allianz Life Data Breach 1.5 Million Impacted by Allianz Life Data Breach Security Week News
F5 Resolves Over 50 Security Flaws in Software F5 Resolves Over 50 Security Flaws in Software Security Week News
Trial Opens Against Meta CEO Mark Zuckerberg and Other Leaders Over Facebook Privacy Violations Trial Opens Against Meta CEO Mark Zuckerberg and Other Leaders Over Facebook Privacy Violations Security Week News