Description
A maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result while returning data that was not actually signed.
This flaw allows signature verifications of inline (non-detached) signed messages (using openpgp.verify) and signed-and-encrypted messages (using openpgp.decrypt with verificationKeys) to be spoofed, since both functions return extracted data that may not match the data that was originally signed.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0-alpha.0, <= 6.1.0 >= 5.0.1, <= 5.11.2** Patched version(s): **6.1.1 5.11.3**
References
Related Issues
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- Knwl.js Regular Expression Denial of Service vulnerability - CVE-2020-26306
- VvvebJs Reflected Cross-Site Scripting (XSS) vulnerability - CVE-2024-29271
- Nuxt Icon affected by a Server-Side Request Forgery (SSRF) - CVE-2024-42352
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on May 19, 2025