Description
Versions of openpgp prior to 4.2.0 are vulnerable to Improper Key Verification. The OpenPGP standard allows signature packets to have subpackets which may be hashed or unhashed. Unhashed subpackets are not cryptographically protected and cannot be trusted. The openpgp package does not verify whether a subpacket is hashed.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.1.2
- Patched version(s): 4.2.0
References
- GHSA-hfmf-q43v-2ffj
- sec-consult.com
- www.bsi.bund.de
- snyk.io
- www.npmjs.com
- packetstormsecurity.com
- CVE-2019-9154
- CWE-347
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- Expo SDK has an OAuth vulnerability - CVE-2023-28131
- OpenPGP.js's message signature verification can be spoofed - CVE-2025-47934
- tRPC 11 WebSocket DoS Vulnerability - CVE-2025-43855
- @rpldy/uploader prototype pollution - CVE-2024-57082
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on January 09, 2023