A Critical Flaw in OpenPGP.js Lets Attackers Spoof Message Signatures
Researchers have discovered a critical flaw in the widely-used OpenPGP.js library, which could allow attackers to spoof message signatures with devastating consequences.
The vulnerability, tracked as CVE-2025-47934, affects versions of OpenPGP.js ranging from 5.0.1 to 5.11.2 and 6.0.0 to 6.1.0, allowing attackers to craft messages that return valid signature checks on data not actually signed, misleading recipients.
Detached signatures are unaffected by this flaw, as no signed data is returned in those cases. However, inline-signed or signed+encrypted messages are vulnerable to spoofing, with the attacker needing only a single valid message signature and the plaintext data that was legitimately signed to construct an altered message.
"This flaw allows signature verifications of inline (non-detached) signed messages (using openpgp.verify) and signed-and-encrypted messages (using openpgp.decrypt with verificationKeys) to be spoofed, since both functions return extracted data that may not match the data that was originally signed," reads the advisory.
Experts warn that if an attacker can spoof a message, they can alter it to contain any content, while still appearing to have a valid signature. This has serious implications for security and trust in online communication.
The Impact of the Vulnerability
The discovery of this critical flaw highlights the importance of keeping software up-to-date and vigilant about security vulnerabilities. OpenPGP.js is an open-source JavaScript library used by developers to integrate secure end-to-end encryption features into their applications, browser extensions, or server-side tools.
A Call for Action
Fortunately, a patch has been released in versions 5.11.3 and 6.1.1 of OpenPGP.js, addressing the vulnerability. Additionally, workarounds are available via manual signature checks to mitigate the issue until a full fix can be implemented.
Preventing Future Attacks
To prevent future attacks like this one, it's crucial for developers and users to stay informed about security updates and best practices. Keeping software up-to-date, using secure communication protocols, and being cautious of suspicious messages are essential measures to protect against such vulnerabilities.
A Lesson in Security Awareness
As the cybersecurity landscape continues to evolve, it's more important than ever to prioritize security awareness and vigilance. By staying informed about emerging threats like this one, we can all play a crucial role in protecting ourselves and our online communications from harm.