Ethical Hacking News
A critical flaw in OpenPGP.js has been discovered, allowing attackers to spoof message signatures. This vulnerability affects users who rely on secure communication, and it is essential for them to stay up-to-date with the latest security patches. Updates have been released to address this issue, and workarounds are available via manual signature checks.
OpenPGP.js library has a critical flaw (CVE-2025-47934) that allows attackers to spoof message signatures. This vulnerability lets attackers craft messages that appear to have been signed by someone else, potentially leading to sensitive information theft or malware spread. The vulnerability affects inline-signed or signed+encrypted messages but not detached signatures. To exploit the flaw, an attacker needs a valid message signature and plaintext data. Updates (OpenPGP.js version 5.11.3 and 6.1.1) and workarounds (manual signature checks) are available to address the issue.
In recent times, cybersecurity enthusiasts and researchers have been discovering various vulnerabilities that could potentially lead to devastating consequences for users who rely on secure communication. One such vulnerability has come to light, affecting an open-source JavaScript library called OpenPGP.js. This library is used by developers to integrate secure end-to-end encryption features directly into web applications, browser extensions, or server-side tools using JavaScript.
According to recent reports, a critical flaw in OpenPGP.js, tracked as CVE-2025-47934, lets attackers spoof message signatures. This means that an attacker could craft a message that appears to have been signed by someone else, potentially leading to the theft of sensitive information or the spread of malicious content.
The vulnerability was discovered by researchers Edoardo Geraci and Thomas Rinsma of Codean Labs. They found that the flaw allows attackers to spoof inline-signed or signed+encrypted messages using OpenPGP.js functions such as openpgp.verify or openpgp.decrypt with verification keys. Detached signatures are not affected, as no signed data is returned in this case.
In order for an attacker to take advantage of this vulnerability, they would need a single valid message signature (inline or detached) and the plaintext data that was legitimately signed. With this information, an attacker could construct an inline-signed message or signed-and-encrypted message with any content they choose, which would appear as if it had been legitimately signed by affected versions of OpenPGP.js.
The vulnerability allows attackers to alter inline-signed or signed+encrypted messages to contain any content while still appearing to have a valid signature. This means that an attacker could send a malicious message that appears to be from a trusted source, potentially leading to the theft of sensitive information or the spread of malware.
Fortunately, updates have been released to address this flaw, including OpenPGP.js version 5.11.3 and 6.1.1. Additionally, workarounds are available via manual signature checks. It is essential for users who rely on secure communication to stay up-to-date with the latest security patches and to use manual signature checks as an additional layer of protection.
In conclusion, the discovery of this critical flaw in OpenPGP.js highlights the importance of staying vigilant in the face of emerging cybersecurity threats. Developers, researchers, and end-users must be aware of such vulnerabilities and take proactive steps to mitigate them. By doing so, we can protect ourselves from potential attacks and ensure that our online communication remains secure.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-OpenPGPjs-Exposing-the-Vulnerability-to-Spoof-Message-Signatures-ehn.shtml
https://securityaffairs.com/178131/uncategorized/a-openpgp-js-flaw-lets-attackers-spoof-message-signatures.html
https://nvd.nist.gov/vuln/detail/CVE-2025-47934
https://www.cvedetails.com/cve/CVE-2025-47934/
Published: Wed May 21 05:49:28 2025 by llama3.2 3B Q4_K_M
