Description
Versions of openpgp prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type text. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input (such as standalone or timestamp).
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.1.2
- Patched version(s): 4.2.0
References
- GHSA-qwqc-28w3-fww6
- sec-consult.com
- www.bsi.bund.de
- snyk.io
- www.npmjs.com
- packetstormsecurity.com
- CVE-2019-9153
- CWE-347
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A6
Related Issues
- OpenPGP.js's message signature verification can be spoofed - CVE-2025-47934
- Cross-site scripting in Swagger-UI - CVE-2019-17495
- Cleartext Signed Message Signature Spoofing in openpgp - CVE-2023-41037
- Path Traversal in simplehttpserver - CVE-2018-16478
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on January 09, 2023