1. Forum
  2. Micronet
  3. MIN COMP

  • openpgp.js vulnerability

    From August Abolins@618:400/23.10 to All on Sun May 25 11:30:00 2025
    Best to patch up!

    There is a CVE-2025-47934 issued for the openpgp.js issue
    mentioned a few days ago.

    People using Mailvelop, Flowcrypt, Mymail-crypt, UDC,
    Encrypt.to, PGP Anywhere, passbolt ..should be wary.

    Protonmali seems to be using one of the openpgp.js packages out
    there too, but I cannot confirm which one.

    ""Proton Mail uses version 3.0 of OpenPGPjs. This version,
    released in March 2018, includes improvements that enable full interoperability with PGP and allows for better overall
    functionality, as outlined by Proton." ..that's their
    statement from 2018.

    So.. does Protonmail use this one..
    https://github.com/ProtonMail/gopenpgp ?

    Or this one..
    https://Github.com/openpgpjs/openpgpjs ..has 6.1.0.


    "In technical terms, the vulnerability arises because
    OpenPGP.js fails to correctly associate the extracted message
    data with its actual signature during verification. This
    oversight allows attackers to manipulate the content of a
    message while retaining a valid signature from a previous,
    unrelated message.

    "In order to spoof a message," the advisory explains, "the
    attacker needs a single valid message signature (inline or
    detached) as well as the plaintext data that was legitimately
    signed. They can then construct an inline-signed or signed-and-
    encrypted message containing any data of their choice, which
    will appear as legitimately signed."

    "This means a bad actor can reuse a valid signature to forge
    new content that appears authentic to the recipient, bypassing
    the trust model OpenPGP is built upon.

    Mozilla's Response and Patches
    In response to these vulnerabilities, Mozilla has issued
    security patches for the following versions:

    Mozilla Firefox 134
    Mozilla Thunderbird 134
    Firefox ESR 115.19 and 128.6
    Thunderbird ESR 115.19 and 128.6

    https://thecyberexpress.com/critical-vulnerabilities-in-mozilla-products/


    --- OpenXP 5.0.64
    * Origin: (618:400/23.10)
  • From digimaus@618:618/1 to August Abolins on Sun May 25 18:39:09 2025
    August Abolins wrote to All <=-

    People using Mailvelop, Flowcrypt, Mymail-crypt, UDC,
    Encrypt.to, PGP Anywhere, passbolt ..should be wary.

    Mailvenlope allows you to use an installed version of GPG instead of the JS script. That's much more secure.

    -- Sean


    ... If you can't understand it, it is intuitively obvious.
    --- MultiMail/Win
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)
  • From August Abolins@618:250/1.9 to digimaus on Mon May 26 08:51:00 2025
    Hello digimaus!

    ** On Sunday 25.05.25 - 18:39, digimaus wrote to August Abolins:

    People using Mailvelop, Flowcrypt, Mymail-crypt, UDC,
    Encrypt.to, PGP Anywhere, passbolt ..should be wary.

    Mailvenlope allows you to use an installed version of GPG instead of the
    JS script. That's much more secure.

    Hmmm..


    "Key management by GnuPG

    "If you have selected GnuPG as your preferred backend for
    encryption in Options -> General -> OpenPGP Preferences, the
    keys will be managed by your local GnuPG program (usually
    GPG4Win or GPGTools).

    OK.. That's for the "key management" part. But I'm not sure if
    that is the same thing as avoiding the security issue talked
    about.

    --
    ../|ug

    --- OpenXP 5.0.64
    * Origin: (} Pointy McPointface (618:250/1.9)
  • From August Abolins@618:250/1.9 to digimaus on Mon May 26 09:26:00 2025
    ** On Monday 26.05.25 - 08:51, August Abolins wrote to digimaus:

    Mailvenlope allows you to use an installed version of GPG instead of the
    JS script. That's much more secure.

    Hmmm..


    "Key management by GnuPG

    "If you have selected GnuPG as your preferred backend for
    encryption in Options -> General -> OpenPGP Preferences, the
    keys will be managed by your local GnuPG program (usually
    GPG4Win or GPGTools).

    OK.. That's for the "key management" part. But I'm not sure if
    that is the same thing as avoiding the security issue talked
    about.


    NEVERMIND.. It seems, that the GnuPG option does indeed avoid
    the OpenPGP.js security issue:

    "Unaffected Users

    "Users who have activated the GnuPG integration in Mailvelope
    and exclusively use the GnuPG keyring for all operations
    (including verification) are not affected by this
    vulnerability. This is because the issue is specific to
    OpenPGP.js, and GnuPG operates as an independent encryption
    library.

    Meanwhile.. the Firefox addon seems to be only available to
    specific versions of Firefox. A download sends me to the
    mozilla.org addons section, but only offers version 5.2.0 for
    me Firefox 115.23.1esr

    So.. I guess, by simply switching to the GnuPGP management
    option, all is well?

    --
    ../|ug

    --- OpenXP 5.0.64
    * Origin: (} Pointy McPointface (618:250/1.9)