Security researchers have identified a critical vulnerability in the JavaScript implementation of OpenPGP (OpenPGP.js) that compromises signed and encrypted messages. Tracked as CVE-2025-47934, this flaw affects versions 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0, enabling attackers to spoof messages by circumventing proper verification of the signing process. Users are strongly advised to upgrade to newer, secure versions as soon as possible to prevent exploitation. This vulnerability directly threatens the integrity of public key cryptography, necessitating immediate attention from those using OpenPGP.js.
The vulnerability discovered in OpenPGP.js enables spoofing of both signed and encrypted messages, undermining the purpose of public key cryptography.
Attackers can exploit the flaw by providing a valid signature along with original plaintext to create a fake signed message.
Users of OpenPGP.js are urged to update to versions 5.11.3 or 6.1.1 to mitigate the security risk associated with this vulnerability.
The issue lies in the trusting nature of OpenPGP.js, which fails to properly verify message signatures, allowing for dangerous message spoofing.
Collection
[
|
...
]