Description
s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.3.0
- Patched version(s): 1.3.0
References
Related Issues
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- FUXA Unauthenticated Remote Arbitrary Device Tag Write - CVE-2026-25752
- jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
- Elysia affected by arbitrary code injection through cookie config - CVE-2025-66457
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on January 27, 2023