How does the OpenPGP.js vulnerability work?

The vulnerability exploits a flaw in OpenPGP.js's 'openpgp.verify' and 'openpgp.decrypt' functions, which can be tricked into returning valid signature verification results for data that was not actually signed. When a maliciously crafted message is passed to the verification functions, the library incorrectly validates the signature against one piece of data while extracting different, attacker-controlled content as the 'verified' message.

Which versions of OpenPGP.js are affected by this vulnerability?

The vulnerability affects OpenPGP.js versions 5.0.1 through 5.11.2 and versions 6.0.0-alpha.0 through 6.1.0. OpenPGP.js version 4 is not affected.

How can I fix the OpenPGP.js vulnerability?

OpenPGP.js maintainers have released patches to address the vulnerability: Version 5.11.3 (for v5 branch users) and Version 6.1.1 (for v6 branch users). Organizations should upgrade to these patched versions immediately.

Are there workarounds available if I cannot immediately upgrade OpenPGP.js?

Yes, two workarounds are available: 1) For inline-signed messages: Extract the message and signature(s) from the message returned by 'openpgp.readMessage', then verify each signature as a detached signature by passing the signature and a new message containing only the data to 'openpgp.verify'. 2) For signed-and-encrypted messages: Decrypt and verify in two separate steps by first calling 'openpgp.decrypt' without verification keys, then passing the returned signatures and a new message containing the decrypted data to 'openpgp.verify'.

What is the potential impact of the OpenPGP.js vulnerability?

The vulnerability allows attackers to spoof digital signatures on messages, making modified content appear as if it were legitimately signed and verified. This could enable attackers to forge communications that appear to come from trusted sources, potentially leading to fraud, misinformation, or other security breaches in applications that rely on OpenPGP.js for signature verification.

How critical is this OpenPGP.js vulnerability?

The vulnerability has a CVSS score of 8.7 and is rated as Critical by the project maintainers. This indicates a very high severity issue that could significantly compromise the security of applications using affected versions of OpenPGP.js.

Which popular services might be affected by this OpenPGP.js vulnerability?

Services like Proton Mail and other secure messaging platforms that use OpenPGP.js for cryptographic operations may be affected. Any application or service that relies on OpenPGP.js for signature verification should check their version and apply updates immediately.

Advisory

Critical signature verification flaw in OpenPGP.js library allows message spoofing

Q: What is OpenPGP.js and where is it used?

OpenPGP.js is a widely-used JavaScript cryptography library that powers encrypted communications in services like Proton Mail and other secure messaging platforms. It provides cryptographic functionality for secure email and messaging applications.

Q: Which types of signatures are affected by the OpenPGP.js vulnerability?

The vulnerability impacts inline-signed messages (using 'openpgp.verify') and signed-and-encrypted messages (using 'openpgp.decrypt' with verification keys). Detached signature verifications are not affected.

published: May 21, 2025

Take action: If you're using OpenPGP.js for signature verification of encrypted messages, plan a quick update to version 5.11.3 or 6.1.1 - there's a flaw that attackers to forge message signatures, making your product untrustworthy. If you can't update, you need to code a workaround. Either way, you have work to do, so pick your poison.

Learn More

A critical security vulnerability has been discovered in OpenPGP.js, a widely-used JavaScript cryptography library that powers encrypted communications in services like Proton Mail and other secure messaging platforms.

The vulnerability is tracked as CVE-2025-47934 (CVSS score 8.7, project score Critical) and allows attackers to spoof digital signatures on messages, making modified content appear as if it were legitimately signed and verified. The vulnerability exploits a flaw in OpenPGP.js's openpgp.verify and openpgp.decrypt functions, which can be tricked into returning valid signature verification results for data that was not actually signed.

The vulnerability impacts inline-signed messages (using openpgp.verify) and signed-and-encrypted messages (using openpgp.decrypt with verification keys). Detached signature verifications are not affected.

To exploit this vulnerability, an attacker needs access to two components: a single valid message signature (either inline or detached) and the plaintext data that was legitimately signed. With these elements, the attacker can construct a malicious message containing any content of their choice that will appear as legitimately signed by affected versions of OpenPGP.js.

When a maliciously crafted message is passed to the verification functions, the library incorrectly validates the signature against one piece of data while extracting different, attacker-controlled content as the "verified" message.

The vulnerability affects:

OpenPGP.js versions 5.0.1 through 5.11.2
OpenPGP.js versions 6.0.0-alpha.0 through 6.1.0
OpenPGP.js version 4 is not affected

OpenPGP.js maintainers have released patches to address the vulnerability:

Version 5.11.3 (for v5 branch users)
Version 6.1.1 (for v6 branch users)

For organizations unable to immediately upgrade, two workarounds are available:

For inline-signed messages: Extract the message and signature(s) from the message returned by openpgp.readMessage, then verify each signature as a detached signature by passing the signature and a new message containing only the data to openpgp.verify.
For signed-and-encrypted messages: Decrypt and verify in two separate steps by first calling openpgp.decrypt without verification keys, then passing the returned signatures and a new message containing the decrypted data to openpgp.verify.

Critical signature verification flaw in OpenPGP.js library allows message spoofing

Read More
AWS Cloud Development Kit flaw lets attackers gain …
Critical remote code execution flaw in NestJS development …
Critical stack buffer overflow flaw in Redis database …
Flowise AI Platform Targeted by Active Exploitation of …
Vulnerabilities in Chainlit AI Framework Expose Data and …