Best to patch up!



There is a CVE-2025-47934 issued for the openpgp.js issue

mentioned a few days ago.



People using Mailvelop, Flowcrypt, Mymail-crypt, UDC,

Encrypt.to, PGP Anywhere, passbolt ..should be wary.



Protonmali seems to be using one of the openpgp.js packages out

there too, but I cannot confirm which one.



""Proton Mail uses version 3.0 of OpenPGPjs. This version,

released in March 2018, includes improvements that enable full

interoperability with PGP and allows for better overall

functionality, as outlined by Proton." ..that's their

statement from 2018.



So.. does Protonmail use this one..

https://github.com/ProtonMail/gopenpgp ?



Or this one..

https://Github.com/openpgpjs/openpgpjs ..has 6.1.0.





"In technical terms, the vulnerability arises because

OpenPGP.js fails to correctly associate the extracted message

data with its actual signature during verification. This

oversight allows attackers to manipulate the content of a

message while retaining a valid signature from a previous,

unrelated message.



"In order to spoof a message," the advisory explains, "the

attacker needs a single valid message signature (inline or

detached) as well as the plaintext data that was legitimately

signed. They can then construct an inline-signed or signed-and-

encrypted message containing any data of their choice, which

will appear as legitimately signed."



"This means a bad actor can reuse a valid signature to forge

new content that appears authentic to the recipient, bypassing

the trust model OpenPGP is built upon.



Mozilla's Response and Patches

In response to these vulnerabilities, Mozilla has issued

security patches for the following versions:



Mozilla Firefox 134

Mozilla Thunderbird 134

Firefox ESR 115.19 and 128.6

Thunderbird ESR 115.19 and 128.6



https://thecyberexpress.com/critical-vulnerabilities-in-mozilla-products/





--- OpenXP 5.0.64

* Origin: (1:396/45.29)

SEEN-BY: 19/25 105/81 106/201 987 124/5016 128/187 129/14 305 130/330