Description
OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools:
These messages typically contain a “Hash: …” header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the “Hash: …
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.10.1 < 4.10.11** Patched version(s): **5.10.1 4.10.11**
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
- Payload's SQLite adapter Session Fixation vulnerability - CVE-2025-4644
- OpenPGP.js's message signature verification can be spoofed - CVE-2025-47934
- Elliptic's verify function omits uniqueness validation - CVE-2024-48949
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on November 06, 2023