CARVIEW |
Select Language
HTTP/2 200
date: Tue, 22 Jul 2025 23:51:48 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"bf7b869c6319cf13095fa126a8b178d9"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=PJSDqTbGEZqr%2FBdNc7%2BzqFgmwZ3N4VgA2kV3pAr9KKhRNm1aZTnMYtQaZtrpRXcznzzC59ivsuwalEgOXCLO3C0zuPQSJbSyEtWMW465wjDpuikhPHsRu6ClCSxFHopCP%2BQRJ3DwmwLTSLs6uNe%2Bij0wrvWH9OIzpfWkYX2ZkQ48cNAflCSHaoIyIzNLBd3ZzWtTcxj6UyW4NbLA0QZqCXHVbQiHBbLsCwR7NnDFc9qw4%2BYCwRkSJiE2h%2BPClroqZCJqrgFkeT933vavi26ecQ%3D%3D--3fo%2FRcva0A4UuMKA--WzYdui%2FEh71pELqSaEHzOg%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.964580668.1753228308; Path=/; Domain=github.com; Expires=Wed, 22 Jul 2026 23:51:48 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Wed, 22 Jul 2026 23:51:48 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: D28C:1D735C:1D4CB3:288708:68802414
Cure53 security audit · openpgpjs/openpgpjs Wiki · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 812
Cure53 security audit
Daniel Huigens edited this page Dec 18, 2018
·
3 revisions
OpenPGP.js has received a first complete audit of its codebase conducted by Cure53. The audit started in Feb 2014 and was sponsored by the Open Technology Fund (RFA). The penetration test yielded an overall of 26 issues. Among these findings, Cure53 has classified 12 as vulnerabilities, with 2 issues rated ‘critical’ in regards to their severity.
The complete report is available at: https://cure53.de/pentest-report_openpgpjs.pdf
With release v0.5.0 all critical, high and medium issues have been fixed. In the following we list all issues with their status and reference to GitHub commits if available.
- OP-01-009 Cleartext Messages Spoofing by Lax Armor Headers parsing (Critical) (329c92bc73)
- OP-01-015 EME-PKCS1-v1_5 padding uses Math.random() (Critical) (e1fcc51d0e)
- OP-01-019 Cleartext Message Spoofing in Armor Headers (Critical) (93ca8b62fe)
- OP-01-025 EME-PKCS1-v1_5 Error Handling in RSA Decryption (High) (ed13502dc2)
- OP-01-026 Errors in EMSA-PKCS1-v1_5 decoding routine (High) (357d49f7e9)
- OP-01-005 Side-channel leak in RSA decryption (High) (9f23c6a891)
- OP-01-011 Error suppression in UTF-8 decoding function (Medium) (28e7a80eba)
- OP-01-020 Missing check in DSA signature generation (Medium) (04680a67cd)
- OP-01-006 Generated keys have no stored algorithm preference (Medium) (1c818f2410)
- OP-01-008 Algorithm Preferences ignored upon Decryption (Medium) (3b9676f2e9)
- OP-01-024 Random Range Bias in DSA/Elgamal (Low) (3f626f4bfb)
- OP-01-018 Suggested improvement in RSA signature verification (Low) (357d49f7e9)
- OP-01-001 Type confusion in crypto.random.RandomBuffer (Low) (4d96089f72)
- OP-01-002 Math.random() usage in dead Code Branch (Low) (1acf1cff9a)
- OP-01-003 Suggested Code Enforcement of RandomBuffer (Low) (b9c597a41a)
- OP-01-010 Invalid Armor Checksum Validation (Low) (e8ef355604)
- OP-01-007 Algorithm Preferences ignored upon Encryption (Low) (22e4540ed9)
- OP-01-014 RSA Key Generation: Seeds are not destroyed (Low)
- OP-01-004 Inconsistent Bit Length of RSA Keys (Low) (proposed solution would drop performance of key generation by 60%)
- OP-01-012 RNG Bias in RSA Key Generation (Low)
- OP-01-013 RSA Key Gen.: Miller-Rabin-Test not conform with FIPS 186-4 (Low)
- OP-01-016 Comments on Javascript Code Quality (Low)
- OP-01-017 Consider to substitute the SHA module (Low)
- OP-01-021 Silent error handling in various places (Low)
- OP-01-022 Possible Optimization in RSA Supplemental Parameters (Low)
- OP-01-023 Recommendation to avoid logging of Private Keys (Low)
- OP-01-027 No check of armor type when de-armoring signed messages (Low)
- OP-01-028 Inconsistent documentation of PublicKey.read (Low)
- OP-01-029 Insufficient input validation in parsing packets (Low)
- OP-01-030 Insufficient validation in parsing public keys (Low)
- OP-01-031 Insufficient Validation in parsing PK-encrypted Session Keys (Low)
- OP-01-032 Inconsistent documentation of SymEncryptedSessionKey.read (Low)
- OP-01-033 Insufficient Validation for symmetrically Encrypted Session Keys (Low)
- OP-01-034 Insufficient Validation in Parsing One Pass Signatures (Low)
- OP-01-035 Insufficient Input Validation in Parsing Literals (Low)
- OP-01-036 Special “for your eyes only” Directive Ignored (Low)
The OpenPGP.js team would like to thank Cure53 for the audit and Open Technology Fund for sponsoring this event.
Clone this wiki locally
You can’t perform that action at this time.