Signature Spoofing Vulnerability in OpenPGP.js JavaScript Library
CVE-2025-47934

8.7HIGH

Key Information:

Vendor: Openpgpjs
Status: Openpgpjs
Vendor: CVE Published:; 19 May 2025

What is CVE-2025-47934?

A vulnerability exists in OpenPGP.js versions through 5.11.2 and 6.1.0 where a specially crafted message can be used to bypass signature verifications. This allows an attacker to forge the validity of non-detached signed messages by returning false data while still signaling a valid signature. Version 5.11.3 and 6.1.1 include patches to mitigate this issue. It is recommended to implement workarounds, such as separate verification processes for signatures.

Affected Version(s)

openpgpjs >= 5.0.1, < 5.11.3 < 5.0.1, 5.11.3

openpgpjs >= 6.0.0-alpha.0, < 6.1.1 < 6.0.0-alpha.0, 6.1.1

References

https://github.com/openpgpjs/openpgpjs/security/advisorie...

x_refsource_CONFIRM

https://github.com/openpgpjs/openpgpjs/commit/43f5f4e2bd6...

x_refsource_MISC

https://github.com/openpgpjs/openpgpjs/commit/bd54e8535ca...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2025
Vulnerability Reserved
May 14, 2025

Openpgpjs

What is CVE-2025-47934?

Affected Version(s)

References

CVSS V4

Timeline