Description
Versions of openpgp prior to 4.2.0 are vulnerable to Improper Key Verification. The OpenPGP standard allows signature packets to have subpackets which may be hashed or unhashed. Unhashed subpackets are not cryptographically protected and cannot be trusted. The openpgp package does not verify whether a subpacket is hashed.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.1.2
- Patched version(s): 4.2.0
References
- GHSA-hfmf-q43v-2ffj
- sec-consult.com
- www.bsi.bund.de
- snyk.io
- www.npmjs.com
- packetstormsecurity.com
- CVE-2019-9154
- CWE-347
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- OpenPGP.js's message signature verification can be spoofed - CVE-2025-47934
- @rpldy/uploader prototype pollution - CVE-2024-57082
- DocsGPT Allows Remote Code Execution - CVE-2025-0868
- Signature Malleabillity in elliptic - CVE-2020-13822
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on January 09, 2023