- Description
- OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline (non-detached) signed messages (using `openpgp.verify`) and signed-and-encrypted messages (using `openpgp.decrypt` with `verificationKeys`) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case. In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js. In other words, any inline-signed message can be modified to return any other data (while still indicating that the signature was valid), and the same is true for signed+encrypted messages if the attacker can obtain a valid signature and encrypt a new message (of the attacker's choice) together with that signature. The issue has been patched in versions 5.11.3 and 6.1.1. Some workarounds are available. When verifying inline-signed messages, extract the message and signature(s) from the message returned by `openpgp.readMessage`, and verify the(/each) signature as a detached signature by passing the signature and a new message containing only the data (created using `openpgp.createMessage`) to `openpgp.verify`. When decrypting and verifying signed+encrypted messages, decrypt and verify the message in two steps, by first calling `openpgp.decrypt` without `verificationKeys`, and then passing the returned signature(s) and a new message containing the decrypted data (created using `openpgp.createMessage`) to `openpgp.verify`.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-347
- Hype score
- Not currently trending
pocs/CVE-2025-47934 (OpenPGP.js) at main · codean-labs/pocs · GitHub - https://t.co/f7RRuF81D0
@piedpiper1616
14 Jun 2025
424 Impressions
2 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
[1day1line] CVE-2025-47934: OpenPGP.js Signature Spoofing Vulnerability https://t.co/NMzoWEQPxZ Today's 1day-1line features a vulnerability discovered in OpenPGP.js. A design flaw in its signature verification process lets attackers reuse existing valid signatures to spoof
@hackyboiz
12 Jun 2025
564 Impressions
6 Retweets
10 Likes
4 Bookmarks
0 Replies
0 Quotes
https://t.co/VNwiL9eujz OpenPGP.jsの脆弱性CVE-2025-47934に関する解説記事です。 署名のなりすましが可能になる問題で、v5.11.3およびv6.1.1で修正されています。 攻撃者が任意のメッセージに被害者の署名を偽装できる深
@topickapp_com
11 Jun 2025
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-47934 - Spoofing OpenPGP.js signature verification https://t.co/12INLmoRiT https://t.co/piAgai7OyI
@secharvesterx
10 Jun 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-47934 – Spoofing OpenPGP.js signature verification https://t.co/4pzVEHGVwa 1
@cevaboyz
10 Jun 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
OpenPGP.js Vulnerability Allows Message Signature Spoofing A critical vulnerability (CVE-2025-47934) was discovered in OpenPGP.js, a widely used JavaScript library for email encryption. The flaw allows attackers to spoof message signature verification, potentially enabling https
@PTechnology_nfo
23 May 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A high-risk vulnerability in OpenPGP.js (CVE-2025-47934) allows message spoofing, compromising message integrity and trust. Multiple versions affected; updating to v5 is essential. 🚨 #Crypto #JavaScript #UK https://t.co/OBAoyksFwl
@TweetThreatNews
22 May 2025
95 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
✉️ Critical OpenPGP.js Flaw Allows Signature Spoofing CVE-2025-47934 lets attackers spoof signatures in OpenPGP.js, tricking users into trusting tampered messages. Update to 5.11.3 or 6.1.1 now! https://t.co/fm1LyYbYxy #Cybersecurity #OpenPGP #Encryption #Infosec https://t
@dCypherIO
21 May 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical OpenPGP.js vulnerability (CVE-2025-47934) allows message spoofing by forging signatures, impacting versions 5.0.1–5.11.2 & 6.0.0-alpha.0–6.1.0. Update to 5.11.3 & 6.1.1 to stay protected.🔐 #Encryption #Privacy #UK https://t.co/xRYSSwFKhV
@TweetThreatNews
21 May 2025
50 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
You can spoof valid signatures in vulnerable versions of OpenPGP JS by just having an existing correctly signed inline message. (CVE-2025-47934) ProtonMail, among others, uses this JS library, in case the name is not ringing a bell. https://t.co/dACarEy9M0
@hkashfi
21 May 2025
630 Impressions
4 Retweets
19 Likes
5 Bookmarks
0 Replies
0 Quotes
📌 Vulnerability in OpenPGP.js (CVE-2025-47934) allows signature verification bypass. #CyberSecurity #OpenPGP https://t.co/Gp9i9C7pDg https://t.co/w5kSntvVkG
@CyberHub_blog
21 May 2025
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
1 Quote
JavaScript製のOpenPGP暗号化ライブラリ「OpenPGP.js」に重大な脆弱性(CVE-2025-47934)が発見された。この脆弱性により、攻撃者は署名検証を偽装し、未署名のデータをあたかも正当な署名付きであるかのように見せ
@yousukezan
21 May 2025
1688 Impressions
5 Retweets
18 Likes
3 Bookmarks
0 Replies
0 Quotes
At Codean Labs, our mission is to make the world more secure — and what better way than to secure fundamental open source projects? We identified CVE-2025-47934, a critical vulnerability in OpenPGP.js to spoof signatures, see https://t.co/qnxUn5nklf https://t.co/qnxUn5nklf
@CodeanIO
20 May 2025
150 Impressions
2 Retweets
7 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-47934 OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message ca… https://t.co/5N5kKk6LHM
@CVEnew
19 May 2025
195 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-47934: HIGH] Cyber security alert: OpenPGP.js versions 5.0.1 - 5.11.3 and 6.1.1 have a flaw allowing maliciously modified messages to pass verification. Update to fixed versions 5.11.3 or 6.1.1!#cve,CVE-2025-47934,#cybersecurity https://t.co/OQh2nDZQGC https://t.co/EkUj
@CveFindCom
19 May 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes