Description
OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools:
These messages typically contain a “Hash: …” header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the “Hash: …
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.10.1 < 4.10.11** Patched version(s): **5.10.1 4.10.11**
References
Related Issues
- Message Signature Bypass in openpgp - CVE-2019-9153
- OpenPGP.js's message signature verification can be spoofed - CVE-2025-47934
- RSA signature validation vulnerability on maleable encoded message in jsrsasign - CVE-2021-30246
- Parse Server option `masterKeyIps` vulnerability to IP spoofing - CVE-2023-22474
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on November 06, 2023