OpenPGP.js's message signature verification can be spoofed

🗓️ 19 May 2025 21:54:43Reported by GitHub Advisory DatabaseType

OpenPGP.js flawed signature verification allows spoofed messages with valid signatures, patched now.

Reporter	Title	Published	Views	Family All 23
IBM Security Bulletins	Security Bulletin: Astronomer with IBM is vulnerable to invalid signature verification due to the OpenPGP.js package (CVE-2025-47934)	20 Nov 202514:22	–	ibm
Chainguard	CVE-2025-47934 vulnerabilities	26 May 202519:15	–	cgr
Circl	CVE-2025-47934	19 May 202520:08	–	circl
CNNVD	OpenPGP.js 数据伪造问题漏洞	19 May 202500:00	–	cnnvd
CVE	CVE-2025-47934	19 May 202518:57	–	cve
Cvelist	CVE-2025-47934 OpenPGP.js's message signature verification can be spoofed	19 May 202518:57	–	cvelist
EUVD	EUVD-2025-15798	3 Oct 202520:07	–	euvd
NVD	CVE-2025-47934	19 May 202519:15	–	nvd
OSV	CGA-QHHC-4PWG-4QV7	29 Jan 202600:49	–	osv
OSV	CVE-2025-47934 OpenPGP.js's message signature verification can be spoofed	19 May 202518:57	–	osv

Vulners

Node

openpgp openpgpRange6.0.0-alpha.0–6.1.0npm

openpgp openpgpRange5.0.1–5.11.2npm

Source	Link
github	www.github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-47934
github	www.github.com/openpgpjs/openpgpjs/commit/43f5f4e2bd67d0514d06acc60b6ee571a049c229
github	www.github.com/openpgpjs/openpgpjs/commit/843a69d0adbdec0f87af09f9000a9223e6614e5c
github	www.github.com/openpgpjs/openpgpjs/commit/bd54e8535ca29b3bef58a8c02296892e408be356
github	www.github.com/openpgpjs/openpgpjs/releases/tag/v5.11.3
github	www.github.com/openpgpjs/openpgpjs/releases/tag/v6.1.1
github	www.github.com/advisories/GHSA-8qff-qr5q-5pr8

19 May 2025 21:54Current

6.6Medium risk

Vulners AI Score6.6

CVSS 48.7

EPSS0.00156

SSVC