Description
Versions of openpgp prior to 4.3.0 are vulnerable to an Invalid Curve Attack. The package’s implementation of ECDH fails to verify the validity of the communication partner’s public key. The package calculates the resulting key secret based on an altered curve instead of the specified elliptic curve.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.3.0
- Patched version(s): 4.3.0
References
- GHSA-77jf-fjjf-xcww
- sec-consult.com
- www.bsi.bund.de
- snyk.io
- www.npmjs.com
- packetstormsecurity.com
- CVE-2019-9155
- CWE-327
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- lobe-chat has an Open Redirect - CVE-2025-59426
- Cross-site Scripting in ZenUML - CVE-2024-38527
- Cross-site Scripting in cesium - CVE-2023-48094
- Cleartext Signed Message Signature Spoofing in openpgp - CVE-2023-41037
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on February 01, 2023