Critical OpenPGP.js Vulnerability Allows Spoofing

Critical OpenPGP.js Vulnerability Allows Spoofing

Posted on By CWS

The builders of OpenPGP.js have launched updates to patch a important vulnerability that may be exploited to spoof message signature verification.

OpenPGP.js is an open supply JavaScript implementation of the OpenPGP e mail encryption library, enabling its use on any system. In line with its builders, “The thought is to implement all of the wanted OpenPGP performance in a JavaScript library that may be reused in different initiatives that present browser extensions or server purposes.”

Its web site reveals that OpenPGP.js is utilized by initiatives akin to FlowCrypt, Mymail-Crypt, UDC, Encrypt.to, PGP Wherever, and Passbolt.

Researchers Edoardo Geraci and Thomas Rinsma of Codean Labs found lately that OpenPGP.js is affected by a important vulnerability.

The flaw permits an attacker to spoof signature verification utilizing a specifically crafted message handed to the ‘openpgp.confirm’ or ‘openpgp.decrypt’ features, inflicting them to “return a sound signature verification outcome whereas returning information that was not really signed”.

“As a way to spoof a message, the attacker wants a single legitimate message signature (inline or indifferent) in addition to the plaintext information that was legitimately signed, and might then assemble an inline-signed message or signed-and-encrypted message with any information of the attacker’s selection, which is able to seem as legitimately signed by affected variations of OpenPGP.js,” the researchers defined.

“In different phrases, any inline-signed message will be modified to return some other information (whereas nonetheless indicating that the signature was legitimate), and the identical is true for signed+encrypted messages if the attacker can get hold of a sound signature and encrypt a brand new message (of the attacker’s selection) along with that signature,” they added.

Tracked as CVE-2025-47934, the difficulty impacts OpenPGP.js variations 5 and 6, and it has been patched with the discharge of variations 5.11.3 and 6.1.1. Workarounds are additionally obtainable.Commercial. Scroll to proceed studying.

Associated: Cisco Confirms Some Merchandise Impacted by Crucial Erlang/OTP Flaw

Associated: Vulnerabilities in MongoDB Library Permit RCE on Node.js Servers

Associated: Solana Web3.js Library Backdoored in Provide Chain Assault

Associated: Crucial Commvault Vulnerability in Attacker Crosshairs

Security Week News Tags:, , ,

Related Posts

Is AI Use in the Workplace Out of Control? Is AI Use in the Workplace Out of Control? Security Week News
High-Severity Vulnerabilities Patched in Tenable Nessus Agent High-Severity Vulnerabilities Patched in Tenable Nessus Agent Security Week News
Trustifi Raises Million for AI-Powered Email Security Trustifi Raises $25 Million for AI-Powered Email Security Security Week News
200,000 Harbin Clinic Patients Impacted by NRS Data Breach 200,000 Harbin Clinic Patients Impacted by NRS Data Breach Security Week News
Amazon Detects 150,000 NPM Packages in Worm-Powered Campaign  Amazon Detects 150,000 NPM Packages in Worm-Powered Campaign  Security Week News
Linux Security: New Flaws Allow Root Access, CISA Warns of Old Bug Exploitation Linux Security: New Flaws Allow Root Access, CISA Warns of Old Bug Exploitation Security Week News