Description
s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.3.0
- Patched version(s): 1.3.0
References
Related Issues
- Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
- Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - CVE-2026-39363
- @mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url - CVE-2026-35394
- SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
You might also like:
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on January 27, 2023