Improper Verification of Cryptographic Signature in tenvoy
Description
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In tenvoy.js under the verifyWithMessage method definition within the tEnvoyNaClSigningKey class, ensure that the return statement call to this.verify ends in .verified.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tenvoynpm | < 7.0.3 | 7.0.3 |
Affected products
1Patches
1a121b34a45e2Critical security fix in verifyWithMessage
2 files changed · +2 −2
node/tenvoy.js+1 −1 modified@@ -2166,7 +2166,7 @@ function tEnvoyNaClSigningKey(key, type = "secret", password = null, passwordPro throw "tEnvoyNaClSigningKey Fatal Error: Invalid signature."; } let hash = _tEnvoy.util.hexToBytes(signed.split("::")[0]); - return this.verify(signed, password) && _tEnvoy.util.bytesToHex(_nacl.hash(_tEnvoy.util.pack(message))) == _tEnvoy.util.bytesToHex(hash); + return this.verify(signed, password).verified && _tEnvoy.util.bytesToHex(_nacl.hash(_tEnvoy.util.pack(message))) == _tEnvoy.util.bytesToHex(hash); } this.toPublic = (password = null) => {
tenvoy.js+1 −1 modified@@ -48183,7 +48183,7 @@ function tEnvoyNaClSigningKey(key, type = "secret", password = null, passwordPro throw "tEnvoyNaClSigningKey Fatal Error: Invalid signature."; } let hash = _tEnvoy.util.hexToBytes(signed.split("::")[0]); - return this.verify(signed, password) && _tEnvoy.util.bytesToHex(_nacl.hash(_tEnvoy.util.pack(message))) == _tEnvoy.util.bytesToHex(hash); + return this.verify(signed, password).verified && _tEnvoy.util.bytesToHex(_nacl.hash(_tEnvoy.util.pack(message))) == _tEnvoy.util.bytesToHex(hash); } this.toPublic = (password = null) => {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7r96-8g3x-g36mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32685ghsaADVISORY
- github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686bghsax_refsource_MISCWEB
- github.com/TogaTech/tEnvoy/releases/tag/v7.0.3ghsax_refsource_MISCWEB
- github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.