Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-47934
CVE-2025-47934:
JavaScript vulnerability analysis and mitigation
Overview
OpenPGP.js, a JavaScript implementation of the OpenPGP protocol, contains a critical vulnerability (CVE-2025-47934) discovered in May 2025 by Edoardo Geraci and Thomas Rinsma of Codean Labs. The vulnerability affects versions 5.0.1 through 5.11.2 and 6.0.0-alpha.0 through 6.1.0, allowing attackers to spoof message signature verifications in both the openpgp.verify and openpgp.decrypt functions (GitHub Advisory).
Technical details
The vulnerability stems from improper verification of cryptographic signatures, where a maliciously modified message can cause the functions to return a valid signature verification result while returning data that was not actually signed. This affects both inline (non-detached) signed messages using openpgp.verify and signed-and-encrypted messages using openpgp.decrypt with verificationKeys. Notably, detached signature verifications are not affected by this vulnerability. The issue has been assigned a CVSS 4.0 Base Score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N (NVD).
Impact
An attacker who obtains a single valid message signature (inline or detached) and the corresponding plaintext data can construct an inline-signed message or signed-and-encrypted message containing arbitrary data of their choice. This modified message will appear as legitimately signed by affected versions of OpenPGP.js, effectively allowing signature verification to be spoofed (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in versions 5.11.3 and 6.1.1. For users unable to update immediately, two workarounds are available: For inline-signed messages, extract the message and signature(s) from openpgp.readMessage output and verify each signature as a detached signature. For signed+encrypted messages, decrypt and verify in two steps by first calling openpgp.decrypt without verificationKeys, then verify the signature(s) separately (GitHub Advisory).
Community reactions
The vulnerability was discovered through the OpenPGP.js bug bounty program hosted by YesWeHack and sponsored by the Sovereign Tech Agency. The most notable user of OpenPGP is encrypted email provider Proton Mail, which maintains the library and uses the technology to offer end-to-end encryption for its more than 100 million registered accounts (Wiz).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management