Security Bulletin: Astronomer with IBM is vulnerable to invalid signature verification due to the OpenPGP.js package (CVE-2025-47934)

Summary OpenPGP.js is used by Astronomer with IBM as part of OpenPGP processing functionality. Vulnerability Details CVEID:CVE-2025-47934 DESCRIPTION: OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously...

EUVD-2019-0635

Malware in sbrugna...

EUVD-2019-0626

Malware in sbrugna...

EUVD-2019-0640

Malware in sbrugna...

EUVD-2022-5003

Malicious code in bioql PyPI...

EUVD-2025-15798

Malicious code in bioql PyPI...

Improper Verification Of Cryptographic Signature

OpenPGP.js is vulnerable to Signature Spoofing. The vulnerability is due to improper signature verification due to functions openpgp.verify and openpgp.decrypt returning valid signature results on tampered data in inline-signed or signed-and-encrypted messages...

OpenPGP.js's message signature verification can be spoofed

Impact A maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline non-detached signed messag...

OpenPGP.js 数据伪造问题漏洞

OpenPGP.js is an open source OpenPGP encryption algorithm library implemented in JavaScript by OpenPGP.js Open Source. A data forgery issue vulnerability exists in OpenPGP.js versions prior to 5.11.3 and 6.1.1, which stems from a maliciously modified message that could result in signature...

PT-2025-22082 · Unknown · Openpgp.Js

Name of the Vulnerable Software and Affected Versions: OpenPGP.js versions 5.0.1 through 5.11.2 OpenPGP.js versions 6.0.0 through 6.1.0 Description: A maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature...

Cleartext Signed Message Signature Spoofing in openpgp

Impact OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This text is signed. -----BEGIN PGP SIGNATURE----- wnUEARMIACcFgmTkrNAJkInXCgj0fgcIFiEE1JlKzzDGQxZmmHkYidcKCPR+...

CVE-2023-41037

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorit...

CVE-2023-41037 Cleartext Signed Message Signature Spoofing in openpgpjs

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorit...

CVE-2023-41037

OpenPGP.js vulnerability (CVE-2023-41037) in Cleartext Signed Messages: versions up to 5.9.0 ignore data before the Hash: header, enabling text insertion that appears signed. Impact arises if an app verifies only verificationResult.verified and visually trusts the message; otherwise, verified dat...

CVE-2023-41037 Cleartext Signed Message Signature Spoofing in openpgpjs

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorit...

Openpgp.js 数据伪造问题漏洞

Openpgp.js is an open source OpenPGP cryptographic algorithm library implemented in JavaScript. OpenPGP.js suffers from a data forgery issue vulnerability that stems from the fact that signed text can be read without special tools...

PT-2023-27753 · Unknown · Openpgp.Js

Name of the Vulnerable Software and Affected Versions: OpenPGP.js versions up to 5.9.0 OpenPGP.js version 5.10.1 current stable version is not affected, and version 4.10.11 legacy version is also not affected. Description: OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In...

GHSA-QMVQ-F3FJ-M3WG OpenPGP 1.2.0 and earlier decrypts arbitrary messages

s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message...

Message Signature Bypass

Overview Versions of openpgp prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type text. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input such as...

Improper Verification Of Cryptographic Signature

openpgp.js is performs improper verification of cryptographic signature. The vulnerability exists as openpgp.js incorrectly trusts unhashed signature subpackets...