188/68 Friday, May 23, 2025
Security researchers from Codean Labs have disclosed a critical vulnerability in the OpenPGP.js JavaScript library (CVE-2025-47934), an open-source implementation used for encryption and digital signing. The flaw affects versions 5.0.1 to 5.11.2 and 6.0.0 to 6.1.0, and allows attackers to spoof digital signatures in inline-signed or signed+encrypted messages. Detached signatures are not affected by this issue.
According to the security advisory, an attacker could create a fake message using a single valid signature (inline or detached) along with the original signed content, and combine them into a new message that appears to be correctly signed, even though the content has been entirely altered. This could mislead recipients into believing the message was genuinely authorized by the sender.
The vulnerability was discovered by researchers Edoardo Geraci and Thomas Rinsma, and has been patched in OpenPGP.js versions 5.11.3 and 6.1.1. Users are strongly urged to update to the latest version immediately. For those unable to upgrade right away, it is recommended to manually verify signatures, rather than relying solely on the functions openpgp.verify() or openpgp.decrypt().
