CVE-2019-9153

Name of the Vulnerable Software and Affected Versions openpgp versions prior to 4.2.0

Description The issue allows an attacker to forge signed messages by replacing their signatures with a "standalone" or "timestamp" signature. This is due to the improper verification of a cryptographic signature in OpenPGP.js. An attacker can construct a message with a signature type that only verifies subpackets without additional input, such as standalone or timestamp, allowing them to create arbitrary signed messages that would be verified correctly.

Recommendations Upgrade to version 4.2.0 or later. If you are upgrading from a version <4.0.0, read the High-Level API Changes section of the openpgp 4.0.0 release to ensure a smooth transition.