Cybersecurity experts have identified a critical vulnerability in OpenPGP.js, which allows spoofing of signed and encrypted messages, undermining the security of encrypted communications. Users are urged to update to the latest versions to mitigate this high-severity threat affecting major email encryption platforms like Proton Mail. #OpenPGPjs #CVE202547934
Keypoints
- A new high-severity flaw (CVE-2025-47934) impacts OpenPGP.js, compromising message authenticity.
- The vulnerability affects versions 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0, with recommended updates to 5.11.3 and 6.1.1.
- The flaw allows attackers to forge signatures, making messages appear legitimately signed without proper verification.
- Cryptography experts advise users to verify signatures manually and follow specific steps for signed-and-encrypted messages.
- Proton Mail, with over 100 million accounts, is among the major platforms relying on affected versions of OpenPGP.js.
Read More: https://www.theregister.com/2025/05/20/openpgp_js_flaw/