Spoofing OpenPGP.js signature verification

Summary

TL;DR This is a write-up of CVE-2025-47934, a vulnerability in OpenPGP.js found by Codean Labs, which was patched in v5.11.3 and v6.1.1. After obtaining a valid signature made by a target author (“Alice”), an attacker could abuse this vulnerability to “spoof” arbitrary signatures by Alice (even as encrypted messages), i.e. making it look (to OpenPGP.js users) as if Alice signed any arbitrary message. Given that this is a core principle of PGP which directly affects some integrating applications, the overall risk was considered to be critical. This write-up explains how this was possible, and provides a proof-of-concept at the end. Introduction The OpenPGP.js library provides an implementation of the OpenPGP standard specified in RFC 9580. If you’ve ever used encrypted email or signed git commits, you may be familiar with this standard. On a high level the OpenPGP standard supports message encryption (symmetric and asymmetric), message signing, and functionality for key management. With OpenPGP.js, it is possible to do all of this in JavaScript. It is used by several web-based email clients that support encryption, including Proton Mail and Mailvelope. The OpenPGP message format All PGP payloads (messages, detached signatures and keys) simply consist of a sequence of packets; there is no overarching header. These packets follow a relatively simple but custom binary protocol as defined by the standard. The resulting binary payload can be sent as-is but is often base64-encoded, resulting in an “ASCII-armored” payload such as the following: -----BEGIN PGP MESSAGE----- owGbwMvMwCV2JXpbW1xI0SnG0zxJDBkOns8zUnNy8rk6SlkYxLgYZMUUWWJ1LuTu 9HFSqpFcxgtTzcoEUsrAxSkAE4nSYPgrzdL1bQ1bvfG9h44/3Dtkk7njvjC9XHE/ 2kzwLeOV+vTNjAyHZt4/96P3wN0H7x7Y79oondUbIc6a+Onj3578CtEn4Xu5AQ== =0dLq -----END PGP MESSAGE----- This signed message consists of the following packets: Compressed Data packet: itself containing a ZIP-compressed packet-list: One-Pass Signature packet: an optional packet containin...