<ul><li>A security flaw in OpenPGP.js allows threat actors to verify fake messages as legitimate, breaking public key cryptography.</li><li>The bug affects versions 5.0.1 to 5.12.2 and 6.0.0-alpha.0 to 6.1.0, but a patch is available in versions 5.11.3 and 6.1.1.</li><li>In theory, the vulnerability could be exploited for fake payment authorization, among other things.</li><li>Users can apply the patch or use a workaround to mitigate the risk of exploitation. The bug is now tracked as CVE-2025-47934 with a high severity score of 8.7/10.</li></ul>

An OpenPGP.js flaw just broke public key cryptography

Discover more