CodeanTwo of our Codean Labs colleagues evaluated OpenPGP.js and identified a signature spoofing vulnerability. Writeup includes a PoC where we demonstrate the vulnerability by spoofing a message by the Dutch government's Cyber Security Center!
https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/
https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/
CVE-2025-47934 - Spoofing OpenPGP.js signature verification — Codean Labs
CVE-2025-47934 allows attackers to spoof arbitrary signatures and encrypted emails that appear as valid in OpenPGP.js. The only requirement is access to a single valid signed message from the target author ("Alice"). Since this undermines the core principle of PGP and impacts integrating applications directly, we strongly recommend updating OpenPGP.js to version v5.11.3, v6.1.1, or newer.