Signature Spoofing Vulnerability in OpenPGP.js JavaScript Library
CVE-2025-47934

8.7HIGH

Key Information:

Vendor

Openpgpjs

Status
Openpgpjs
Vendor
CVE Published:
19 May 2025

Badges

๐Ÿ“ฐ News Worthy

What is CVE-2025-47934?

CVE-2025-47934 is a signature spoofing vulnerability found in the OpenPGP.js library, which is a JavaScript implementation of the OpenPGP protocol designed for encrypting and signing data. This vulnerability exists in versions 5.0.1 up to 5.11.2 and 6.1.0 of the library, where a maliciously crafted message can manipulate the output of the openpgp.verify and openpgp.decrypt functions. Specifically, the flaw allows these functions to falsely indicate a valid signature verification even when the returned data was not legitimately signed.

Attackers can exploit this issue by utilizing a valid signature from any message and the corresponding plaintext. They can then generate a new inline-signed or signed-and-encrypted message containing any data of their choosing, which would misleadingly appear as validly signed by the affected versions. Consequently, organizations relying on this library for secure communications may inadvertently accept tampered or malicious data as authentic, undermining the overall security and integrity of their encrypted communications.

Potential impact of CVE-2025-47934

  1. Data Integrity Compromise: The ability to spoof signatures means that attackers can introduce unauthorized changes to messages that could be misrepresented as authentic. This can result in data integrity issues, where the information received may be false or malicious, affecting decision-making and operational security.

  2. Erosion of Trust: With the potential for misleadingly verified messages, organizations may find it challenging to trust communications that utilize the OpenPGP.js library. This could lead to significant reputational damage and loss of customer confidence, particularly in sectors where data authenticity is critical, such as finance or legal.

  3. Increased Attack Surface: By enabling attackers to bypass signature verification, this vulnerability increases the likelihood of further exploitation of systems using this library. It could facilitate additional attacks, leading to unauthorized access to sensitive information, further compromising the security landscape of an organization.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openpgpjs >= 5.0.1, < 5.11.3 < 5.0.1, 5.11.3

openpgpjs >= 6.0.0-alpha.0, < 6.1.1 < 6.0.0-alpha.0, 6.1.1

News Articles

favicon imageThe Cyber Express

OpenPGP Vulnerability CVE-2025-47934 Exposes Users

CVE-2025-47934 flaw in OpenPGP.js allows spoofing of signed and encrypted messages. Users must patch immediately to avoid security risks.

References

https://github.com/openpgpjs/openpgpjs/security/advisorie...
x_refsource_CONFIRM
https://github.com/openpgpjs/openpgpjs/commit/43f5f4e2bd6...
x_refsource_MISC
https://github.com/openpgpjs/openpgpjs/commit/bd54e8535ca...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐Ÿ“ฐ

    First article discovered by The Cyber Express

  • Vulnerability published

  • Vulnerability Reserved

JSON
.