{"id":"CVE-2021-32685","details":"tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.","aliases":["GHSA-7r96-8g3x-g36m"],"modified":"2026-04-10T04:34:51.462291Z","published":"2021-06-16T01:15:06.930Z","related":["GHSA-7r96-8g3x-g36m"],"references":[{"type":"ADVISORY","url":"https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3"},{"type":"ADVISORY","url":"https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m"},{"type":"FIX","url":"https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/togatech/tenvoy","events":[{"introduced":"0"},{"fixed":"455c90054b65a675933622a205fac27ee5647c55"},{"fixed":"a121b34a45e289d775c62e58841522891dee686b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.0.3"}]}}],"versions":["v0.6.3","v5.0.0","v5.0.1","v5.1.0","v5.1.1","v6.0.0","v6.0.1","v6.0.2","v6.0.3","v6.0.4","v6.0.5","v7.0.0","v7.0.1","v7.0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32685.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}