Headlines generated by a critical signature-spoofing flaw reported to the OpenPGP.js Bug Bounty Program attest to the rarity, technical sophistication and impact of such cryptographic bypasses.
The likes of TechRadar, SecurityWeek and The Register likely also covered the story because of the wide deployment of OpenPGP.js and the potential impact on popular downstream applications.
OpenPGP.js is an open source JavaScript implementation of the OpenPGP standard for message encryption and signing. OpenPGP is typically used for end-to-end encrypted email, signing of git commits and software releases, and encrypted file storage, among other things.
Now addressed, the OpenPGP.js vulnerability (CVE-2025-47934) could have enabled attackers to spoof signature verification and therefore dupe victims into trusting malicious messages or software commits. Credit for the discovery goes to Edoardo Geraci and Thomas Rinsma from Codean Labs, who have together netted a €7,500 bounty.
Meticulous method
The discovery demonstrates how patience and thoroughness are the highest of virtues when it comes to finding vulnerabilities.
“We could only find this issue by taking the time to properly understand both the software's architecture and the relevant data formats,” Thomas Rinsma told YesWeHack. “It shows that when you search thoroughly, even in such a widely-used (and, presumably, widely reviewed) open source component, critical bugs may be found.”
Bug Bounty Programs allow security researchers to invest as much time as they need in performing reconnaissance and probing targets – whether their efforts take hours, weeks or even months to reach fruition. The fact that Bug Bounty rewards scale up with severity helps to incentivise and reward hunters for the time they invest (albeit high or critical severity issues aren’t necessarily always more time-consuming to find than lower severity flaws).
Interestingly, the Codean Labs researchers experimented on this occasion with a time-boxed approach. This “helped us stay focused on the most impactful threats,” said Thomas. “There is an optimal balance somewhere between having enough time to dig deep enough, but also having someone tell you to move on after a while.”
Technical details
The vulnerability in question was uncovered when the researchers managed to validate a signature that hadn’t actually been signed by passing a maliciously modified message to either the openpgp.verify or openpgp.decrypt functions.
“In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js,” reads the relevant GitHub advisory.
“In other words, any inline-signed message can be modified to return any other data (while still indicating that the signature was valid), and the same is true for signed+encrypted messages if the attacker can obtain a valid signature and encrypt a new message (of the attacker's choice) together with that signature.”
Discussing the discovery process, Rinsma said: “We followed our standard asset-based methodology, where we take into account the relevant assets and attack surfaces, and analysed the flows between them. This led us to the signature verification logic where we found this flaw. Besides relying on code review, we wrote some one-off scripts to generate PGP payloads to test various edge cases in flows like this.”
For an in-depth analysis of the discovery process and proof-of-concept, read Thomas Rinsma’s newly published writeup that documents his and Edoardo Geraci’s discovery.
Rapid remediation
The OpenPGP.js team released a fix and advisory just 13 days after receiving the initial vulnerability report (on 6 May), once YesWeHack’s triage team and they themselves had swiftly evaluated the issue.
“The disclosure process through YesWeHack has gone very smoothly,” said Rinsma. “The OpenPGP.js team have been nice to work with. They understood the impact and quickly coordinated with their users.”
In particular, Rinsma singled out Daniel Huigens, a maintainer of OpenPGP.js who oversaw validation and remediation, for praise.
Daniel, who also co-authored the latest version of the OpenPGP standard, told YesWeHack: “I would like to thank Edoardo Geraci and Thomas Rinsma for finding and responsibly disclosing this vulnerability, YesWeHack for hosting the Bug Bounty Program and triaging the report, and (last but not least) the Sovereign Tech Agency for sponsoring the Bug Bounty Program.”
A patch is available for users of affected versions (5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0). Should users be unable to upgrade to the patched versions, then they can alternatively follow mitigation advice contained within the advisory.
Again, for more details about this vulnerability, including mitigation advice, please check out Thomas Rinsma’s newly published writeup that documents his and Edoardo Geraci’s discovery.
Open source Bug Bounty opportunities from the Sovereign Tech Resilience Program
Offering up to €10,000 for critical issues and €5,000 for high severity bugs, the bounty grid for the OpenPGP.js Bug Bounty Program is highly competitive. In scope at present are three assets: the high-level API of OpenPGP.js, interoperability issues in OpenPGP.js and the OpenPGP standard.
The program is one of six public Bug Bounty initiatives currently overseen by the Sovereign Tech Resilience program, an initiative of the Sovereign Tech Agency. The other programs, which all also offer maximum rewards of €10,000, include Log4j (source of the notorious Log4Shell zero day), systemd, GNOME, ntpd-rs and Sequoia-PGP.
The Sovereign Tech Agency, which is funded by the German government, invests in open digital infrastructure to ensure a resilient and sustainable open source ecosystem. To this end, the Sovereign Tech Agency invests in critical yet underfunded open source projects via the Sovereign Tech Fund. It also runs the Sovereign Tech Fellowship, under which otherwise volunteer maintainers of critical free and open source software (FOSS) are remunerated for their contributions.
Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management platform? Contact our team to schedule a demo with one of our experts.