About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CVE-2025-47934 – Spoofing OpenPGP.js signature verification- 1668

Thomas RinsmaPosted 9 Months Ago
  • PGP is a JavaScript implementation of PGP that implements the OpenPGP standard for RFC 9580. It's used for encrypted emails, signing git commits and many other things.
  • The PGP payload consists of a list of packets with no overarching header. The packets implementa custom binary protocol that can be sent as is or base64 encoded. The format is VERY flexible as a result. Different types of packets can be sent in any order.
  • The vulnerability is around the unnecessary parsing of extra data on a PGP packet. The signature data should be the final part of the packet according to the specification. Crazily enough, it doesn't have to be!
  • The verification code will iterate over until the signature packet. However, the usage code takes all of the blocks. This means that dangling data at the end is still vaild, even though it was never verified. This applies to both encryption and signature verification.
  • Overall, a good post! These issues around double parsing of blocks are becoming more and more relevent and this is a trick to keep in mind.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed