Description
A maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result while returning data that was not actually signed.
This flaw allows signature verifications of inline (non-detached) signed messages (using openpgp.verify) and signed-and-encrypted messages (using openpgp.decrypt with verificationKeys) to be spoofed, since both functions return extracted data that may not match the data that was originally signed.
Recommendation
Update the openpgp package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0-alpha.0, <= 6.1.0 >= 5.0.1, <= 5.11.2** Patched version(s): **6.1.1 5.11.3**
References
Related Issues
- vite allows server.fs.deny bypass via backslash on Windows - CVE-2025-62522
- Vite's `server.fs` settings were not applied to HTML files - CVE-2025-58752
- Trix editor subject to XSS vulnerabilities on copy & paste - CVE-2024-53847
- Knwl.js Regular Expression Denial of Service vulnerability - CVE-2020-26306
- Tags:
- npm
- openpgp
Anything's wrong? Let us know Last updated on May 19, 2025