Skip to content

build(dev-deps): update dependency openpgp to v6.1.1 [security] #197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 16, 2025
Merged

build(dev-deps): update dependency openpgp to v6.1.1 [security] #197

merged 1 commit into from
Jun 16, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented May 24, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
openpgp (source) 6.1.0 -> 6.1.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-47934

Impact

A maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result while returning data that was not actually signed.

This flaw allows signature verifications of inline (non-detached) signed messages (using openpgp.verify) and signed-and-encrypted messages (using openpgp.decrypt with verificationKeys) to be spoofed, since both functions return extracted data that may not match the data that was originally signed. Detached signature verifications are not affected, as no signed data is returned in that case.

In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js.

In other words. any inline-signed message can be modified to return any other data (while still indicating that the signature was valid), and the same is true for signed+encrypted messages if the attacker can obtain a valid signature and encrypt a new message (of the attacker's choice) together with that signature.

Both OpenPGP.js v6 and v5 are affected. OpenPGP.js v4 is not affected.

Patches

The issue has been patched in versions 5.11.3 and 6.1.1.

Workarounds

  • When verifying inline-signed messages, extract the message and signature(s) from the message returned by openpgp.readMessage, and verify the(/each) signature as a detached signature by passing the signature and a new message containing only the data (created using openpgp.createMessage) to openpgp.verify.
  • When decrypting and verifying signed+encrypted messages, decrypt and verify the message in two steps, by first calling openpgp.decrypt without verificationKeys, and then passing the returned signature(s) and a new message containing the decrypted data (created using openpgp.createMessage) to openpgp.verify.

Acknowledgements

We would like to thank:

Release Notes

openpgpjs/openpgpjs (openpgp)

v6.1.1: - Security Patch

Compare Source

  • Address CVE-2025-47934 (Message signature verification could be spoofed)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the internal Internal issues and tasks. No direct impact on end-user. label May 24, 2025
@codecov-commenter
Copy link

codecov-commenter commented May 24, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 28.63%. Comparing base (d98521d) to head (9534132).
Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #197   +/-   ##
=======================================
  Coverage   28.63%   28.63%           
=======================================
  Files          41       41           
  Lines        1079     1079           
  Branches       17       19    +2     
=======================================
  Hits          309      309           
  Misses        765      765           
  Partials        5        5
Flag Coverage Δ
core 28.02% <ø> (ø)
webview 32.63% <ø> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ivangabriele ivangabriele added the security:prevention Security vulnerability prevention fix. label Jun 16, 2025
@renovate renovate bot force-pushed the renovate/npm-openpgp-vulnerability branch from 63b4a49 to 9534132 Compare June 16, 2025 03:31
@ivangabriele ivangabriele merged commit a7f6db3 into main Jun 16, 2025
14 of 18 checks passed
@ivangabriele ivangabriele deleted the renovate/npm-openpgp-vulnerability branch June 16, 2025 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
internal Internal issues and tasks. No direct impact on end-user. security:prevention Security vulnerability prevention fix.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@codecov-commenter @ivangabriele