CVE-2023-41037: 
JavaScript vulnerability analysis and mitigation

OpenPGP.js, a JavaScript implementation of the OpenPGP protocol, was found to have a vulnerability (CVE-2023-41037) affecting versions up to v5.9.0. The vulnerability was discovered and disclosed on August 29, 2023, impacting the signature verification process in OpenPGP Cleartext Signed Messages (GitHub Advisory).

The vulnerability stems from the way OpenPGP.js processes Cleartext Signed Messages. The software ignored any data preceding the "Hash: ..." texts when verifying the signature. These messages typically contain a "Hash: ..." header declaring the hash algorithm used to compute the signature digest. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (GitHub Advisory).

The vulnerability allows malicious actors to add arbitrary text to a third-party Cleartext Signed Message, potentially leading victims to believe that the arbitrary text was signed. This affects users or applications that verify the CleartextMessage by only checking the returned 'verified' property while discarding the associated 'data' information and visually trusting the contents of the original message (GitHub Advisory).

The issue has been patched in version 5.10.1 (current stable version) and version 4.10.11 (legacy version). The fix rejects messages when calling openpgp.readCleartextMessage() in v5.10.1 and openpgp.cleartext.readArmored() in v4.10.11. For users unable to upgrade, the recommended workaround is to check the contents of verificationResult.data to see what data was actually signed, rather than visually trusting the contents of the armored message (GitHub Advisory).