Ethical Hacking News
Researchers have identified a critical flaw in OpenPGP.js that could allow both signed and encrypted messages to be spoofed, posing significant threats to the trustworthiness of encrypted communications.
A newly discovered bug in OpenPGP.js (CVE-2025-47934) could allow messages to be spoofed, compromising secure communications.The vulnerability affects versions 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0 of the library.Users are advised to upgrade to fixed versions (5.11.3 or 6.1.1) as soon as possible.Until the fix, users should scrutinize signed messages and verify signatures in two steps:1. Decrypt without verification keys using openpgp.decrypt2. Verify the signature with a new message containing decrypted data using openpgp.verify
In recent days, security researchers have sounded an alarm over a freshly discovered bug in the JavaScript implementation of OpenPGP (OpenPGP.js), which could allow both signed and encrypted messages to be spoofed. This vulnerability, tracked as CVE-2025-47934 with a severity rating of high, has significant implications for the use of public key cryptography to secure communications.
The discovery was made by Codean Labs' Edoardo Geraci and Thomas Rinsma, two security researchers who identified a flaw in the openpgp.verify and openpgp.decrypt functions. According to an advisory posted on the library's GitHub repository, a maliciously modified message can be passed to one of these functions and return a result indicating a valid signature without actually being signed. This is possible because OpenPGP.js trusts the signing process without properly verifying it.
The researchers emphasized that this vulnerability does not affect versions 4.x but rather versions 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0, where users are advised to upgrade to either 5.11.3 or 6.1.1 as soon as possible to fix the problem. Daniel Huigens, cryptography team lead at Proton and head maintainer of OpenPGP.js, highlighted that until they can upgrade, users should scrutinize any ostensibly signed message they receive and verify each signature as a detached one.
For signed-and-encrypted messages, Huigens suggested verifying their legitimacy in two steps. First, call openpgp.decrypt without verificationKeys, and then pass the returned signatures and a new message containing decrypted data to openpgp.verify. This advisory comes at a time when encrypted email providers are relying heavily on OpenPGP for end-to-end encryption.
Proton Mail, an encrypted email provider that uses OpenPGP extensively for its service, is likely affected by this vulnerability due to the library being maintained by their team. According to recent data, Proton Mail had over 100 million accounts registered as of 2023, indicating a significant number of users relying on the security offered by OpenPGP.
The discovery and advisory highlight the importance of timely patches and awareness about vulnerabilities in widely used software libraries like OpenPGP.js. The incident serves as a reminder to organizations and individuals alike to prioritize software updates and implement robust security protocols to protect sensitive information.
Researchers have identified a critical flaw in OpenPGP.js that could allow both signed and encrypted messages to be spoofed, posing significant threats to the trustworthiness of encrypted communications.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-in-OpenPGPjs-How-a-Vulnerability-Could-Undermine-the-Trustworthiness-of-Encrypted-Communications-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/20/openpgp_js_flaw/
https://nvd.nist.gov/vuln/detail/CVE-2025-47934
https://www.cvedetails.com/cve/CVE-2025-47934/
Published: Tue May 20 11:37:20 2025 by llama3.2 3B Q4_K_M
