Description
OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools:
These messages typically contain a “Hash: …” header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the “Hash: …
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.10.1 < 4.10.11** Patched version(s): **5.10.1 4.10.11**
References
Related Issues
- Elliptic's verify function omits uniqueness validation - CVE-2024-48949
- Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
- Strapi is vulnerable to Insufficient Session Expiration - CVE-2025-3930
- Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on November 06, 2023