A critical vulnerability in OpenPGP.js, a widely used JavaScript library for encrypted messaging and digital signatures, has been patched after researchers discovered it allowed attackers to spoof message signatures, potentially undermining the trust model of public key cryptography.
The flaw, tracked as CVE-2025-47934, was uncovered by security researchers Edoardo Geraci and Thomas Rinsma of Codean Labs. It affects OpenPGP.js versions 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0, but not version 4.x.
The vulnerability, which received a CVSS score of 8.7 (high), enables attackers to manipulate signed or signed-and-encrypted messages so that they appear to be validly signed by a trusted party even when the underlying data has been maliciously altered.
OpenPGP.js powers encryption and signature verification in numerous web-based email clients and applications, including FlowCrypt, Mailvelope, and others.
This broad adoption heightened the urgency of the patch, as the flaw could allow cybercriminals to send spoofed messages or software commits that appear trustworthy.
Technical Details
The vulnerability stems from how OpenPGP.js processes and verifies message signatures. Attackers can craft a malicious message by appending additional packets to a legitimately signed message.
When such a message is processed by the library’s openpgp.verify or openpgp.decrypt functions, the result may indicate a valid signature, even though the data returned is not what was actually signed. This breaks the core guarantee of message integrity and authenticity.
Researchers demonstrated that with access to a single valid signature, an attacker could create new messages containing any content, which would then be falsely verified as authentic by affected OpenPGP.js versions.
Both inline-signed and signed-and-encrypted messages were vulnerable, though detached signature verifications were not affected.
The vulnerability was responsibly disclosed to the OpenPGP.js maintainers, who released patches in versions 5.11.3 and 6.1.1. Users and organizations are strongly urged to upgrade immediately.
For those unable to update, temporary workarounds include verifying signatures as detached rather than inline and handling decryption and verification in separate steps.
The discovery underscores the importance of rigorous security reviews, even for widely used and mature open-source libraries.
As Codean Labs’ Thomas Rinsma noted, “When you search thoroughly, even in such a widely-used (and, presumably, widely reviewed) open source component, critical bugs may be found”.
- May 6, 2025: Vulnerability reported to OpenPGP.js bug bounty program.
- May 19, 2025: CVE-2025-47934 assigned, patches released.
- June 10, 2025: Full technical write-up published.
Users of OpenPGP.js are advised to update their software as soon as possible to ensure the integrity of their encrypted communications and digital signatures
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
Source link
