VYPR
Critical severity9.8NVD Advisory· Published Jun 16, 2021· Updated Jun 17, 2026

CVE-2021-32685

CVE-2021-32685

Description

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In tenvoy.js under the verifyWithMessage method definition within the tEnvoyNaClSigningKey class, ensure that the return statement call to this.verify ends in .verified.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tenvoynpm
< 7.0.37.0.3

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.