- There is a way to verify false messages as if they were legitimate
- The error affects multiple versions of OpenPGP.js
- A patch is available
A safety failure in the implementation of JavaScript of OpenPGP.JS allows threat actors to verify false messages as if they were legitimate, essentially breaking the public key cryptography. This is according to security researchers Edoardo Geraci and Thomas Rinsma de Codean Labs, who found and recently reported vulnerability.
OpenPGP.JS is an open source JavaScript library that allows developers to encrypt, decipher, sign and verify messages using the OpenPGP standard. Normally, when a user sign a message digitally, ensures that the content was not manipulated.
But in this case, vulnerability allows the threat actor to change the content of the message, while it seems that it had a valid firm.
Applying the patch
In theory, vulnerability could be used for the authorization of false payment, among other things. If a company used OpenPGP.Js to verify the requests for payment digitally signed from its customers, an attacker could obtain a valid signed application, modify the payment details and send it back, effectively stealing the money.
It was said that versions 5.0.1 to 5.12.2 and 6.0.0-alfa.0 to 6.1.0 of OpenPGP.js were vulnerable, and the problem was repaired in versions 5.11.3 and 6.1.1. Version 4 is safe, it was added.
Those who cannot apply the patch should immediately apply the solution. Users can verify the signatures separately instead of only trusting the system verification, or deciphering messages in two steps to ensure that the data is not manipulated.
The error is now tracked as CVE-2025-47934 and has a gravity score of 8.7/10 (high). There is currently no confirmed evidence of abuse in nature. Soon, according to maintainers, a proof of concept (POC) and a detailed analysis of vulnerability will be carried out, maintainers said, probably giving users enough time to apply the patch.
Through The registration
