The builders of OpenPGP.js have launched updates to patch a important vulnerability that may be exploited to spoof message signature verification.
OpenPGP.js is an open supply JavaScript implementation of the OpenPGP e mail encryption library, enabling its use on any system. In line with its builders, “The thought is to implement all of the wanted OpenPGP performance in a JavaScript library that may be reused in different initiatives that present browser extensions or server purposes.”
Its web site reveals that OpenPGP.js is utilized by initiatives akin to FlowCrypt, Mymail-Crypt, UDC, Encrypt.to, PGP Wherever, and Passbolt.
Researchers Edoardo Geraci and Thomas Rinsma of Codean Labs found lately that OpenPGP.js is affected by a important vulnerability.
The flaw permits an attacker to spoof signature verification utilizing a specifically crafted message handed to the ‘openpgp.confirm’ or ‘openpgp.decrypt’ features, inflicting them to “return a sound signature verification outcome whereas returning information that was not really signed”.
“As a way to spoof a message, the attacker wants a single legitimate message signature (inline or indifferent) in addition to the plaintext information that was legitimately signed, and might then assemble an inline-signed message or signed-and-encrypted message with any information of the attacker’s selection, which is able to seem as legitimately signed by affected variations of OpenPGP.js,” the researchers defined.
“In different phrases, any inline-signed message will be modified to return some other information (whereas nonetheless indicating that the signature was legitimate), and the identical is true for signed+encrypted messages if the attacker can get hold of a sound signature and encrypt a brand new message (of the attacker’s selection) along with that signature,” they added.
Tracked as CVE-2025-47934, the difficulty impacts OpenPGP.js variations 5 and 6, and it has been patched with the discharge of variations 5.11.3 and 6.1.1. Workarounds are additionally obtainable.Commercial. Scroll to proceed studying.
Associated: Cisco Confirms Some Merchandise Impacted by Crucial Erlang/OTP Flaw
Associated: Vulnerabilities in MongoDB Library Permit RCE on Node.js Servers
Associated: Solana Web3.js Library Backdoored in Provide Chain Assault
Associated: Crucial Commvault Vulnerability in Attacker Crosshairs
