Research Thomas Rinsma 06-10-2025 TL;DR This is a write-up of CVE-2025-47934, a vulnerability in OpenPGP.js found by Codean Labs, which was patched in v5.11.3 and v6.1.1. After obtaining a valid signature made by a target author (“Alice”), an attacker could abuse this vulnerability to “spoof” arbitrary signatures by Alice (even as encrypted messages), i.e. making it look (to OpenPGP.js users) as if Alice signed any arbitrary message. Given that this is a core principle of PGP which directly affe...