epa4all-client has a VAU Signature bypass
High severity
GitHub Reviewed
Published
May 6, 2026
in
oviva-ag/epa4all-client
•
Updated Jun 8, 2026
Package
Affected versions
<= 1.2.0
Patched versions
1.2.1
Description
Published to the GitHub Advisory Database
May 8, 2026
Reviewed
May 8, 2026
Published by the National Vulnerability Database
May 26, 2026
Last updated
Jun 8, 2026
Impact
In SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true.
Patches
Patched in #34.
Workarounds
None.
Resources
Credits
Machine Spirits (contact@machinespirits.de)
References