Critical OpenPGP.js Vulnerability (CVE-2025-47934) Undermines Encrypted Message Trust
Security researchers Edoardo Geraci and Thomas Rinsma of Codean Labs have uncovered a high-severity flaw (CVE-2025-47934) in OpenPGP.js, a widely used JavaScript library for OpenPGP encryption. The vulnerability, rated 8.7 (High) on the CVSS scale, allows attackers to spoof signed and encrypted messages, effectively breaking the trust model of public key cryptography.
The issue stems from flaws in the openpgp.verify and openpgp.decrypt functions, which fail to properly associate message data with its signature during verification. This enables threat actors to reuse a valid signature from a legitimate message to forge new, malicious content that appears authentic. Attackers only need a single valid signature and the original signed plaintext to craft a spoofed message.
Affected versions include 5.0.1 through 5.11.2 and 6.0.0-alpha.0 through 6.1.0, while 4.x remains unaffected. Patches have been released in versions 5.11.3 and 6.1.1. For users unable to upgrade immediately, workarounds involve manually verifying signatures as detached rather than relying on the library’s built-in verification logic.
The discovery underscores the risks of client-side cryptographic libraries, particularly in browser-based environments, and the need for rigorous validation in tools securing encrypted communications. A full technical write-up and proof-of-concept exploit are available in the advisory posted to the OpenPGP.js GitHub repository.
Source: https://thecyberexpress.com/cve-2025-47934-openpgp-vulnerability/
Codean Labs cybersecurity rating report: https://www.rankiteo.com/company/codean-labs
Codean Labs cybersecurity rating report: https://www.rankiteo.com/company/codean-labs
"id": "CODCOD1766105948",
"linkid": "codean-labs, codean-labs",
"type": "Vulnerability",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of OpenPGP.js versions '
'5.0.1-5.11.2 and '
'6.0.0-alpha.0-6.1.0',
'industry': 'Cybersecurity/Cryptography',
'name': 'OpenPGP.js',
'type': 'Open-source library'}],
'attack_vector': 'Manipulation of cryptographic signatures',
'data_breach': {'data_encryption': 'Affected (vulnerability in '
'encryption/signature verification)',
'sensitivity_of_data': 'High (cryptographic trust '
'compromised)',
'type_of_data_compromised': 'Signed/encrypted messages '
'(spoofed content)'},
'description': 'A flaw in OpenPGP.js, a widely used JavaScript library for '
'OpenPGP encryption, allows threat actors to spoof both signed '
'and encrypted messages, undermining trust in public key '
'cryptography. The vulnerability (CVE-2025-47934) enables '
'attackers to manipulate message content while retaining a '
'valid signature from a previous, unrelated message.',
'impact': {'brand_reputation_impact': 'High (undermines trust in OpenPGP.js)',
'data_compromised': 'Encrypted and signed messages (spoofed '
'content)',
'operational_impact': 'Loss of trust in cryptographic integrity of '
'communications',
'systems_affected': 'Applications using OpenPGP.js versions 5.0.1 '
'through 5.11.2 and 6.0.0-alpha.0 through '
'6.1.0'},
'investigation_status': 'Vulnerability disclosed, patches available',
'lessons_learned': 'Highlights critical risks in client-side cryptographic '
'libraries, emphasizing the need for rigorous testing and '
'validation of tools securing encrypted communications.',
'post_incident_analysis': {'corrective_actions': 'Patches released to fix '
'signature verification '
'logic; manual workarounds '
'provided for unpatched '
'versions.',
'root_causes': 'Failure to correctly associate '
'extracted message data with its '
'actual signature during '
'verification in OpenPGP.js.'},
'recommendations': ['Upgrade to OpenPGP.js versions 5.11.3 or 6.1.1 '
'immediately.',
'For users unable to upgrade, implement manual '
'verification workarounds for inline-signed and '
'signed-and-encrypted messages.',
'Conduct thorough security reviews of cryptographic '
'libraries in use.'],
'references': [{'source': 'OpenPGP.js GitHub Advisory'},
{'source': 'Codean Labs Technical Write-Up'}],
'response': {'communication_strategy': 'Advisory posted to OpenPGP.js GitHub '
'repository',
'containment_measures': 'Patches released (versions 5.11.3 and '
'6.1.1)',
'remediation_measures': 'Upgrade to patched versions or '
'implement manual verification '
'workarounds',
'third_party_assistance': 'Security researchers Edoardo Geraci '
'and Thomas Rinsma of Codean Labs'},
'stakeholder_advisories': 'Users and developers of OpenPGP.js advised to '
'upgrade or implement workarounds.',
'title': 'CVE-2025-47934: OpenPGP.js Signature Spoofing Vulnerability',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2025-47934'}