CVE-2019-9153

HIGH

Openpgpjs < 4.1.2 - Signature Verification Bypass

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9153. PoCs published by ZenyWay.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2019-9153, demonstrating a signature bypass vulnerability in the OpenPGP implementation. The PoC includes test cases to reproduce the attack, showing how tampered messages can bypass signature validation under certain configurations.

Description

Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.

Exploits (1)

nomisec WORKING POC
by ZenyWay · poc
https://github.com/ZenyWay/opgp-service-cve-2019-9153

This repository contains a proof-of-concept for CVE-2019-9153, demonstrating a signature bypass vulnerability in the OpenPGP implementation. The PoC includes test cases to reproduce the attack, showing how tampered messages can bypass signature validation under certain configurations.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: OpenPGP implementations (e.g., opgp-service)
No auth needed
Prerequisites: OpenPGP implementation with AEAD_protect disabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory x_refsource_confirm
https://github.com/openpgpjs/openpgpjs/pull/816

Scores

CVSS v3 7.5
EPSS 0.0036
EPSS Percentile 58.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-347
Status published
Products (2)
npm/openpgp 0 - 4.2.0npm
openpgpjs/openpgpjs < 4.1.2
Published Aug 22, 2019
Tracked Since Feb 18, 2026