CVE-2021-32685

Name of the Vulnerable Software and Affected Versions tEnvoy versions prior to 7.0.3

Description The verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message, even if the signature is invalid. This issue is patched in version 7.0.3.

Recommendations For versions prior to 7.0.3, upgrade to version 7.0.3 immediately to resolve this issue. As a temporary workaround, in tenvoy.js under the verifyWithMessage method definition within the tEnvoyNaClSigningKey class, ensure that the return statement call to this.verify ends in .verified. Reverify any signatures that were previously verified with the vulnerable verifyWithMessage method.