Search for packages
| purl | pkg:npm/openpgp@0.9.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6yrb-1xx1-zkfx
Aliases: CVE-2023-41037 GHSA-ch3c-v47x-4pgp |
OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the "Hash: ..." texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed. A user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned `verified` property, discarding the associated `data` information, and instead _visually trusting_ the contents of the original message. Since `verificationResult.data` would always contain the actual signed data, users and apps that check this information are not vulnerable. Similarly, given a CleartextMessage object, retrieving the data using `getText()` or the `text` field returns only the contents that are considered when verifying the signature. Finally, re-armoring a CleartextMessage object (using `armor()` will also result in a "sanitised" version, with the extraneous text being removed. This issue has been addressed in version 5.10.1 (current stable version) which will reject messages when calling `openpgp.readCleartextMessage()` and in version 4.10.11 (legacy version) which will will reject messages when calling `openpgp.cleartext.readArmored()`. Users are advised to upgrade. Users unable to upgrade should check the contents of `verificationResult.data` to see what data was actually signed, rather than visually trusting the contents of the armored message. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-ex13-d3nb-z3an
Aliases: CVE-2019-9153 GHSA-qwqc-28w3-fww6 |
Message Signature Bypass in openpgp |
Affected by 2 other vulnerabilities. |
|
VCID-kprp-qhgm-8ffd
Aliases: CVE-2015-8013 GHSA-qmvq-f3fj-m3wg |
Affected by 4 other vulnerabilities. |
|
|
VCID-pqph-mbcy-6uce
Aliases: CVE-2019-9155 GHSA-77jf-fjjf-xcww |
Invalid Curve Attack in openpgp |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-umd7-y588-3bh7
Aliases: CVE-2019-9154 GHSA-hfmf-q43v-2ffj |
Improper Key Verification in openpgp |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T19:04:00.059354+00:00 | GitLab Importer | Affected by | VCID-6yrb-1xx1-zkfx | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/openpgp/CVE-2023-41037.yml | 38.6.0 |
| 2026-06-12T18:15:35.661557+00:00 | GitLab Importer | Affected by | VCID-kprp-qhgm-8ffd | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/openpgp/CVE-2015-8013.yml | 38.6.0 |
| 2026-06-12T17:13:48.377151+00:00 | GitLab Importer | Affected by | VCID-umd7-y588-3bh7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/openpgp/CVE-2019-9154.yml | 38.6.0 |
| 2026-06-12T17:13:47.806275+00:00 | GitLab Importer | Affected by | VCID-ex13-d3nb-z3an | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/openpgp/CVE-2019-9153.yml | 38.6.0 |
| 2026-06-12T17:13:47.228225+00:00 | GitLab Importer | Affected by | VCID-pqph-mbcy-6uce | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/openpgp/CVE-2019-9155.yml | 38.6.0 |