Codeanio

**Name of the Vulnerable Software and Affected Versions** OpenPGP.js versions 5.0.1 through 5.11.2 OpenPGP.js versions 6.0.0 through 6.1.0 **Description** A maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline signed messages and signed-and-encrypted messages to be spoofed. The attacker needs a single valid message signature and the plaintext data that was legitimately signed to construct a spoofed message. Over 4,000 sites are still loading vulnerable OpenPGP.js files, affecting encryption frontends and crypto wallets. **Recommendations** For OpenPGP.js versions 5.0.1 through 5.11.2, update to version 5.11.3. For OpenPGP.js versions 6.0.0 through 6.1.0, update to version 6.1.1. As a temporary workaround, when verifying inline-signed messages, extract the message and signature(s) from the message returned by `openpgp.readMessage`, and verify the signature as a detached signature by passing the signature and a new message containing only the data to `openpgp.verify`. When decrypting and verifying signed+encrypted messages, decrypt and verify the message in two steps, by first calling `openpgp.decrypt` without `verificationKeys`, and then passing the returned signature(s) and a new message containing the decrypted data to `openpgp.verify`.

**Name of the Vulnerable Software and Affected Versions** Feathersjs versions prior to 4.5.18 Feathersjs versions prior to 5.0.8 **Description** The Feathers socket handler did not catch invalid string conversion errors, which could cause the NodeJS process to crash when sending an unexpected Socket.io message. For example, sending a message like `socket.emit('find', { toString: '' })` could crash the process. **Recommendations** For versions prior to 4.5.18, upgrade to version 4.5.18. For versions prior to 5.0.8, upgrade to version 5.0.8.