Full Report
A flaw has been discovered in OpenPGP.js, a widely used JavaScript library for OpenPGP encryption. Tracked as CVE-2025-47934, the vulnerability allows threat actors to spoof both signed and encrypted messages, effectively undermining the very foundation of trust in public key cryptography. The vulnerability, rated 8.7 (High) on the CVSS scale, was discovered by security researchers Edoardo Geraci and Thomas Rinsma of Codean Labs. Their findings were disclosed in an advisory posted to the OpenPGP.js GitHub repository, with a full technical write-up and proof-of-concept exploit. The delay in publishing the PoC is a standard practice intended to give developers and users time to apply necessary patches. Nature of the CVE-2025-47934 Vulnerability The issue lies in the openpgp.verify and openpgp.decrypt functions of OpenPGP.js. According to the advisory, a malicious message can be processed by these functions in a way that falsely returns a valid signature verification, even though the message was never signed by a trusted party. This defect affects both inline-signed messages and signed-and-encrypted messages. In technical terms, the vulnerability arises because OpenPGP.js fails to correctly associate the extracted message data with its actual signature during verification. This oversight allows attackers to manipulate the content of a message while retaining a valid signature from a previous, unrelated message. "In order to spoof a message," the advisory explains, "the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed. They can then construct an inline-signed or signed-and-encrypted message containing any data of their choice, which will appear as legitimately signed." This means a bad actor can reuse a valid signature to forge new content that appears authentic to the recipient, bypassing the trust model OpenPGP is built upon. The vulnerability affects versions 5.0.1 through 5.11.2 and 6.0.0-alpha.0 through 6.1.0 of OpenPGP.js. Users are strongly advised to upgrade to version 5.11.3 or 6.1.1, both of which contain the necessary security patches. Notably, version 4.x remains unaffected by this issue. Mitigation Strategies While patches are available, users who cannot immediately upgrade are encouraged to implement workarounds: For inline-signed messages, manually extract the message and signature, then verify the signature as if it were detached. This involves creating a new message object using openpgp.createMessage and passing it along with the extracted signature to openpgp.verify. For signed-and-encrypted messages, first decrypt the message without specifying verification keys. Then verify the decrypted content in a separate step, again treating the signature as detached. These steps prevent reliance on the vulnerable combined verification-decryption logic present in the affected versions. To sum up, the discovery of CVE-2025-47934 highlights the critical risks inherent in client-side cryptographic libraries, particularly those written in JavaScript and used in browser environments. It highlights the necessity of rigorous testing and validation for tools that secure encrypted communications.
Analysis Summary
# Vulnerability: OpenPGP.js Spoofing Vulnerability Allowing Signature Forgery
## CVE Details
- CVE ID: CVE-2025-47934
- CVSS Score: Not explicitly stated, but described as "High-Risk"
- CWE: Not explicitly stated (Likely related to Signature Validation/Improper Input Validation)
## Affected Systems
- Products: OpenPGP.js (JavaScript Crypto Library)
- Versions: 5.0.1 through 5.11.2, and 6.0.0-alpha.0 through 6.1.0
- Configurations: Affects processing of inline-signed messages and signed-and-encrypted messages where verification relies on combined decryption logic. Version 4.x is unaffected.
## Vulnerability Description
This vulnerability exists within the OpenPGP.js library and allows a sophisticated attacker to reuse a valid signature to forge new content that the recipient will trust as genuinely signed by the original sender. This bypasses the intended trust model of OpenPGP, as the attacker can substitute arbitrary user-selected data for the original signed data while retaining the valid signature.
## Exploitation
- Status: Not explicitly stated if exploited in the wild, but PoC environment (browser/client-side application logic) is implied by the nature of the library.
- Complexity: Inferred to be Medium/High due to the need to manipulate signature/message objects.
- Attack Vector: Adjacent or Network (depending on how the forged message is delivered).
## Impact
- Confidentiality: Potential impact if used in combination with other flaws, as forged data could lead to unauthorized actions.
- Integrity: High. Allows an attacker to substitute arbitrary, chosen data for the real signed data, fooling the recipient into accepting forged content as legitimate.
- Availability: Low direct impact.
## Remediation
### Patches
- Upgrade to OpenPGP.js version **5.11.3**
- Upgrade to OpenPGP.js version **6.1.1**
### Workarounds
Users unable to upgrade immediately should manually decouple the decryption and verification steps for vulnerable message formats:
1. **Inline-Signed Messages:** Manually extract the message content and the signature. Verify the signature as if it were detached using `openpgp.createMessage` and `openpgp.verify`.
2. **Signed-and-Encrypted Messages:** Decrypt the message *without* specifying verification keys first. Then, verify the resulting decrypted content in a separate step, treating the signature as detached.
## Detection
- Detection focuses on observing application behavior using the affected library versions processing suspect signed content.
- Specific IoCs are not provided, but monitoring for unexpected content acceptance following cryptographic operations using OpenPGP.js versions 5.x/6.x is recommended until patching is complete.
## References
- [JavaScript Crypto Library OpenPGP.js Hit by High-Risk Spoofing Vulnerability](https://thecyberexpress.com/cve-2025-47934-openpgp-vulnerability/)