Spoofing OpenPGP.js signature verification (write-up)

During a research project for Codean Labs, Edoardo and I found several vulnerabilities in OpenPGP.js. The worst of which was a subtle logical flaw which allowed an attacker to craft a “valid” PGP signature without access to the respective private key.

Read the write-up on Codean Labs’ blog:
https://codeanlabs.com/2025/06/cve-2025-47934-spoofing-openpgp-js-signatures/

Media coverage

YesWeHack wrote a blog about this bug after several online news media picked it up, including TechRadar, SecurityWeek, and The Register.