Correction: CVE-2019-9153 (openpgpjs) fix available in v4.2.0
Rangaswamy, Gayathri
Hello,
I would appreciate the opportunity to create a pull request myself to contribute my findings. However, I currently do not have access to fork the repository. Please let me know if access can be granted so I can submit a PR directly.
If that is not possible, here is the issue description.
Affected Ecosystem: npm (openpgpjs)
Vulnerability:
- CVE: CVE-2019-9153
- GHSA: GHSA-qwqc-28w3-fww6
- Package: openpgp
What's missing?
The OSV entry for this vulnerability currently states "No fix available", but the upstream project fixed this issue in version 4.2.0. Other vulnerability databases (e.g., Snyk, GitHub Advisory Database, Red Hat) also recognize 4.2.0+ as not affected.
References:
- openpgpjs v4.2.0 release notes: https://github.com/openpgpjs/openpgpjs/releases/tag/v4.2.0
- GitHub Advisory for GHSA-qwqc-28w3-fww6: https://github.com/advisories/GHSA-qwqc-28w3-fww6
- Snyk advisory for SNYK-JS-OPENPGP-450846: https://security.snyk.io/vuln/SNYK-JS-OPENPGP-450846
- NVD entry for CVE-2019-9153: https://nvd.nist.gov/vuln/detail/CVE-2019-9153
Proposed fix:
Please update the OSV entry to reflect that the vulnerability is fixed in openpgp version 4.2.0 and later.
Thank you for maintaining OSV!
Thanks,
Gayathri Rangaswamy
Confidential, unpublished property of The Cigna Group. Do not duplicate or distribute. Use and distribution limited solely to authorized personnel. © Copyright 2024 Legal Disclaimer
CONFIDENTIALITY NOTICE: If you have received this email in error, please immediately notify the sender by e-mail at the address shown. This email transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright (c) 2025 Evernorth
Jess Lowe
Thanks,
Jess & the OSV team.
--
You received this message because you are subscribed to the Google Groups "osv-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osv-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/osv-discuss/38ED8C9A-785D-4A3D-B5E2-F13CFD6BBBA5%40glbcore.com.
Rangaswamy, Gayathri
Hello Jess,
Thank you for your response. To clarify, I was referring to https://github.com/google/osv.dev
If there are any opportunities to contribute, in the future, I would be happy to help. Would be nice if you can share the process.
Thanks,
Gayathri
Confidential, unpublished property of The Cigna Group. Do not duplicate or distribute. Use and distribution limited solely to authorized personnel. © Copyright 2024 Legal Disclaimer
From:
Jess Lowe <jess...@google.com>
Date: Monday, September 15, 2025 at 11:58 PM
To: "Rangaswamy, Gayathri" <Gayathri....@evernorth.com>
Cc: "osv-d...@googlegroups.com" <osv-d...@googlegroups.com>
Subject: Re: Correction: CVE-2019-9153 (openpgpjs) fix available in v4.2.0
Hi Gayathri, Thanks for your interest in OSV's quality! The issue you have raised seems to have resolved itself. For future reference, we are reliant on upstream data sources to provide information about version ranges and the like. In this
ZjQcmQRYFpfptBannerStart
|
ZjQcmQRYFpfptBannerEnd