- There is a way to check false messages as if they were legitimate
- The bug affects several versions of openpgp.js
- A patch is available
A security defect in the JavaScript implementation of OpenPGP.JS allows threat actors to verify false messages as if they were legitimate, essentially breaking the cryptography of public key. This is according to the security researchers Edoardo Geraci and Thomas Rinsma of Codean Labs, who found and recently reported the vulnerability.
OpenPGP.JS is a JavaScript Open Source library which allows developers to encrypt, decrypt, sign and check messages using the OpenPGP standard. Normally, when a user signs a message digitally, he makes sure that the content has not been falsified.
But in this case, vulnerability allows the threat actor to change the content of the message, while giving the impression that he had a valid signature.
Apply the patch
In theory, vulnerability could be used for a false payment authorization, among others. If a company used OpenPGP.JS to verify the payment requests signed digitally to its customers, an attacker could obtain a valid signed request, modify the details of the payment and return it, steal the money effectively.
Versions 5.0.1 to 5.12.2 and 6.0.0-Alpha.0 to 6.1.0 of OpenPGP.Js would have been vulnerable, the problem being corrected in versions 5.11.3 and 6.1.1. Version 4 is safe, it has been added.
Those who cannot apply the patch immediately should at least apply the bypass solution. Users can check the signatures separately instead of simply trusting the system checks, or decrypting two -step messages to ensure that the data is not falsified.
The bug is now followed as CVE-2025-47934 and has a gravity score of 8.7 / 10 (high). There is currently no confirmed evidence of abuse in the wild. A proof of concept (POC) and a detailed analysis of vulnerability will soon arrive, said maintainers, likely to give users enough time to apply the fix.
Via The register
