openpgp is vulnerable to Uncontrolled Resource Consumption
50
Medium Risk
The openpgp library derives symmetric keys from a passphrase using the Argon2 string-to-key function when it parses password-protected messages or private keys that select Argon2. It reads the Argon2 memory-cost exponent directly from the external-supplied packet and, before running key derivation, does not cap how much memory the derivation may request. An attacker can craft a message or key whose Argon2 parameters stay within the OpenPGP specification yet demand very large allocations, so a victim who attempts decryption triggers excessive memory allocation that can crash the process. The fix adds a config.maxArgon2MemoryExponent limit and throws Argon2OutOfMemoryError when the requested exponent exceeds it.
You are affected if you are using a version that falls within the vulnerable range and decrypt password-protected messages or keys that use Argon2 for string-to-key derivation.
openpgp is vulnerable to Uncontrolled Resource Consumption in versions 6.0.0 - 6.3.0.
Upgrade the openpgp library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant