Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN327

_____________________________________________________________________

DATE                : 20/05/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running  openpgpjs versions prior to
                                  5.11.3, 6.1.1.

=====================================================================
https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8
_____________________________________________________________________

Message signature verification can be spoofed
Critical
twiss published GHSA-8qff-qr5q-5pr8 May 19, 2025

Package
openpgp (npm)

Affected versions
5.0.1 - 5.11.2 || 6.0.0-alpha.0 - 6.1.0

Patched versions
5.11.3, 6.1.1


Description

Impact

A maliciously modified message can be passed to either openpgp.verify or
openpgp.decrypt, causing these functions to return a valid signature
verification result while returning data that was not actually signed.

This flaw allows signature verifications of inline (non-detached) signed
messages (using openpgp.verify) and signed-and-encrypted messages (using
openpgp.decrypt with verificationKeys) to be spoofed, since both functions
return extracted data that may not match the data that was originally
signed. Detached signature verifications are not affected, as no signed
data is returned in that case.

In order to spoof a message, the attacker needs a single valid message
signature (inline or detached) as well as the plaintext data that was
legitimately signed, and can then construct an inline-signed message or
signed-and-encrypted message with any data of the attacker's choice,
which will appear as legitimately signed by affected versions of
OpenPGP.js.

In other words. any inline-signed message can be modified to return any
other data (while still indicating that the signature was valid), and
the same is true for signed+encrypted messages if the attacker can
obtain a valid signature and encrypt a new message (of the attacker's
choice) together with that signature.

Both OpenPGP.js v6 and v5 are affected. OpenPGP.js v4 is not affected.


Patches

The issue has been patched in versions 5.11.3 and 6.1.1.


Workarounds

    When verifying inline-signed messages, extract the message and
signature(s) from the message returned by openpgp.readMessage, and
verify the(/each) signature as a detached signature by passing the
signature and a new message containing only the data (created using
openpgp.createMessage) to openpgp.verify.

    When decrypting and verifying signed+encrypted messages, decrypt
and verify the message in two steps, by first calling openpgp.decrypt
without verificationKeys, and then passing the returned signature(s)
and a new message containing the decrypted data (created
using openpgp.createMessage) to openpgp.verify.


Acknowledgements

We would like to thank:

    Edoardo Geraci and Thomas Rinsma of Codean Labs for finding and
reporting this vulnerability
    The Sovereign Tech Agency for sponsoring the OpenPGP.js bug bounty
program
    YesWeHack for hosting the OpenPGP.js bug bounty program


Severity
Critical

CVE ID
CVE-2025-47934

Weaknesses
No CWEs


Credits

    @CodeanIO CodeanIO Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================