An OpenPGP.js vulnerability tracked as CVE-2025-47934 allows message signature verification to be spoofed.
May 21, 2025 By Eduard Kovacs
The developers of OpenPGP.js have released updates to patch a critical vulnerability that can be exploited to spoof message signature verification.
OpenPGP.js is an open source JavaScript implementation of the OpenPGP email encryption library, enabling its use on any device. According to its developers, “The idea is to implement all the needed OpenPGP functionality in a JavaScript library that can be reused in other projects that provide browser extensions or server applications.”
Its website shows that OpenPGP.js is used by projects such as FlowCrypt, Mymail-Crypt, UDC, Encrypt.to, PGP Anywhere, and Passbolt.
Researchers Edoardo Geraci and Thomas Rinsma of Codean Labs discovered recently that OpenPGP.js is affected by a critical vulnerability.
The flaw enables an attacker to spoof signature verification using a specially crafted message passed to the ‘openpgp.verify’ or ‘openpgp.decrypt’ functions, causing them to “return a valid signature verification result while returning data that was not actually signed”.
