CVE-2025-47934: CWE-347: Improper Verification of Cryptographic Signature in openpgpjs openpgpjs
OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline (non-detached) signed messages (using `openpgp.verify`) and signed-and-encrypted messages (using `openpgp.decrypt` with `verificationKeys`) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case. In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js. In other words, any inline-signed message can be modified to return any other data (while still indicating that the signature was valid), and the same is true for signed+encrypted messages if the attacker can obtain a valid signature and encrypt a new message (of the attacker's choice) together with that signature. The issue has been patched in versions 5.11.3 and 6.1.1. Some workarounds are available. When verifying inline-signed messages, extract the message and signature(s) from the message returned by `openpgp.readMessage`, and verify the(/each) signature as a detached signature by passing the signature and a new message containing only the data (created using `openpgp.createMessage`) to `openpgp.verify`. When decrypting and verifying signed+encrypted messages, decrypt and verify the message in two steps, by first calling `openpgp.decrypt` without `verificationKeys`, and then passing the returned signature(s) and a new message containing the decrypted data (created using `openpgp.createMessage`) to `openpgp.verify`.
AI Analysis
Technical Summary
CVE-2025-47934 is a high-severity vulnerability in OpenPGP.js, a widely used JavaScript implementation of the OpenPGP protocol, which is employed for encrypting, decrypting, signing, and verifying messages. The flaw exists in versions starting from 5.0.1 up to but not including 5.11.3, and from 6.0.0-alpha.0 up to but not including 6.1.1. The vulnerability arises from improper verification of cryptographic signatures (CWE-347) in the functions openpgp.verify and openpgp.decrypt when handling inline (non-detached) signed messages or signed-and-encrypted messages. Specifically, these functions can return a valid signature verification result while returning data that was not actually signed. This means an attacker who has access to a single valid signature and the corresponding plaintext can craft a malicious message that appears to be legitimately signed, but contains arbitrary data chosen by the attacker. Detached signature verification is not affected, as it does not return signed data. The attack exploits the fact that the verification functions do not ensure the returned data matches the originally signed content, allowing signature spoofing. This undermines the integrity guarantees of OpenPGP.js for inline-signed and signed+encrypted messages. The vulnerability does not require any privileges or user interaction and can be exploited remotely by anyone who can supply crafted messages. The issue has been patched in versions 5.11.3 and 6.1.1. Workarounds involve manually separating the message and signature using openpgp.readMessage and verifying signatures as detached by creating new messages with openpgp.createMessage and then verifying them separately. For decrypting and verifying signed+encrypted messages, a two-step process is recommended: first decrypt without verification keys, then verify signatures separately on the decrypted data. This vulnerability has a CVSS 4.0 score of 8.7 (high severity), reflecting its network attack vector, no required privileges or user interaction, and high impact on integrity. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the integrity of communications secured using OpenPGP.js, especially in environments relying on inline signatures or combined signed-and-encrypted messages. Attackers can spoof signatures to make malicious messages appear authentic, potentially leading to misinformation, unauthorized command execution, or fraudulent transactions. This undermines trust in secure messaging, code signing, or document verification workflows that use OpenPGP.js. Sectors such as government, finance, legal, and critical infrastructure that rely on cryptographic assurances for secure communications and data integrity are particularly at risk. The vulnerability could facilitate phishing, social engineering, or supply chain attacks by allowing attackers to forge apparently valid signed messages without needing to compromise private keys. Since OpenPGP.js is a JavaScript library, web applications and browser-based tools using it for encryption and signature verification are vulnerable, increasing the attack surface in cloud services and SaaS platforms. The lack of requirement for authentication or user interaction means attacks can be automated and launched at scale. The impact on confidentiality is limited since the vulnerability affects signature verification rather than encryption itself, but the integrity and authenticity of messages are severely compromised. This can lead to loss of trust, regulatory compliance issues under GDPR and other data protection laws, and potential financial and reputational damage.
Mitigation Recommendations
European organizations should urgently upgrade OpenPGP.js to versions 5.11.3 or 6.1.1 or later to apply the official patch. Until upgrades are possible, implement the recommended workarounds: for inline-signed messages, extract the message and signature(s) using openpgp.readMessage, then verify signatures as detached by creating new messages with openpgp.createMessage and passing them to openpgp.verify. For signed+encrypted messages, perform decryption without verification keys first, then verify the signatures separately on the decrypted data. Review all applications and services using OpenPGP.js to identify affected versions and usage patterns. Conduct code audits to ensure no inline signature verification is performed without these mitigations. Enhance monitoring for suspicious message patterns or signature verification anomalies. Educate developers and security teams about the vulnerability and the importance of proper signature verification. Consider additional layers of message integrity validation, such as out-of-band signature confirmation or multi-factor verification for critical transactions. Finally, maintain an inventory of cryptographic libraries and enforce strict update policies to reduce exposure to similar vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy, Spain, Poland
CVE-2025-47934: CWE-347: Improper Verification of Cryptographic Signature in openpgpjs openpgpjs
Description
OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline (non-detached) signed messages (using `openpgp.verify`) and signed-and-encrypted messages (using `openpgp.decrypt` with `verificationKeys`) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case. In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js. In other words, any inline-signed message can be modified to return any other data (while still indicating that the signature was valid), and the same is true for signed+encrypted messages if the attacker can obtain a valid signature and encrypt a new message (of the attacker's choice) together with that signature. The issue has been patched in versions 5.11.3 and 6.1.1. Some workarounds are available. When verifying inline-signed messages, extract the message and signature(s) from the message returned by `openpgp.readMessage`, and verify the(/each) signature as a detached signature by passing the signature and a new message containing only the data (created using `openpgp.createMessage`) to `openpgp.verify`. When decrypting and verifying signed+encrypted messages, decrypt and verify the message in two steps, by first calling `openpgp.decrypt` without `verificationKeys`, and then passing the returned signature(s) and a new message containing the decrypted data (created using `openpgp.createMessage`) to `openpgp.verify`.
AI-Powered Analysis
Technical Analysis
CVE-2025-47934 is a high-severity vulnerability in OpenPGP.js, a widely used JavaScript implementation of the OpenPGP protocol, which is employed for encrypting, decrypting, signing, and verifying messages. The flaw exists in versions starting from 5.0.1 up to but not including 5.11.3, and from 6.0.0-alpha.0 up to but not including 6.1.1. The vulnerability arises from improper verification of cryptographic signatures (CWE-347) in the functions openpgp.verify and openpgp.decrypt when handling inline (non-detached) signed messages or signed-and-encrypted messages. Specifically, these functions can return a valid signature verification result while returning data that was not actually signed. This means an attacker who has access to a single valid signature and the corresponding plaintext can craft a malicious message that appears to be legitimately signed, but contains arbitrary data chosen by the attacker. Detached signature verification is not affected, as it does not return signed data. The attack exploits the fact that the verification functions do not ensure the returned data matches the originally signed content, allowing signature spoofing. This undermines the integrity guarantees of OpenPGP.js for inline-signed and signed+encrypted messages. The vulnerability does not require any privileges or user interaction and can be exploited remotely by anyone who can supply crafted messages. The issue has been patched in versions 5.11.3 and 6.1.1. Workarounds involve manually separating the message and signature using openpgp.readMessage and verifying signatures as detached by creating new messages with openpgp.createMessage and then verifying them separately. For decrypting and verifying signed+encrypted messages, a two-step process is recommended: first decrypt without verification keys, then verify signatures separately on the decrypted data. This vulnerability has a CVSS 4.0 score of 8.7 (high severity), reflecting its network attack vector, no required privileges or user interaction, and high impact on integrity. No known exploits are reported in the wild yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the integrity of communications secured using OpenPGP.js, especially in environments relying on inline signatures or combined signed-and-encrypted messages. Attackers can spoof signatures to make malicious messages appear authentic, potentially leading to misinformation, unauthorized command execution, or fraudulent transactions. This undermines trust in secure messaging, code signing, or document verification workflows that use OpenPGP.js. Sectors such as government, finance, legal, and critical infrastructure that rely on cryptographic assurances for secure communications and data integrity are particularly at risk. The vulnerability could facilitate phishing, social engineering, or supply chain attacks by allowing attackers to forge apparently valid signed messages without needing to compromise private keys. Since OpenPGP.js is a JavaScript library, web applications and browser-based tools using it for encryption and signature verification are vulnerable, increasing the attack surface in cloud services and SaaS platforms. The lack of requirement for authentication or user interaction means attacks can be automated and launched at scale. The impact on confidentiality is limited since the vulnerability affects signature verification rather than encryption itself, but the integrity and authenticity of messages are severely compromised. This can lead to loss of trust, regulatory compliance issues under GDPR and other data protection laws, and potential financial and reputational damage.
Mitigation Recommendations
European organizations should urgently upgrade OpenPGP.js to versions 5.11.3 or 6.1.1 or later to apply the official patch. Until upgrades are possible, implement the recommended workarounds: for inline-signed messages, extract the message and signature(s) using openpgp.readMessage, then verify signatures as detached by creating new messages with openpgp.createMessage and passing them to openpgp.verify. For signed+encrypted messages, perform decryption without verification keys first, then verify the signatures separately on the decrypted data. Review all applications and services using OpenPGP.js to identify affected versions and usage patterns. Conduct code audits to ensure no inline signature verification is performed without these mitigations. Enhance monitoring for suspicious message patterns or signature verification anomalies. Educate developers and security teams about the vulnerability and the importance of proper signature verification. Consider additional layers of message integrity validation, such as out-of-band signature confirmation or multi-factor verification for critical transactions. Finally, maintain an inventory of cryptographic libraries and enforce strict update policies to reduce exposure to similar vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-14T10:32:43.529Z
- Cisa Enriched
- true
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeb17e
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/10/2025, 7:19:29 PM
Last updated: 7/30/2025, 4:08:02 PM
Views: 14
Related Threats
CVE-2025-6184: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in themeum Tutor LMS Pro
HighCVE-2025-8762: Improper Physical Access Control in INSTAR 2K+
HighCVE-2025-8761: Denial of Service in INSTAR 2K+
HighCVE-2025-8760: Buffer Overflow in INSTAR 2K+
CriticalCVE-2025-6715: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in LatePoint
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.