CVE-2025-68972 – This GnuPG vulnerability allows attackers to ap... (How to Fix)

📋 TL;DR

This GnuPG vulnerability allows attackers to append unauthorized content to signed messages while still passing signature verification. The attack exploits how GnuPG handles formfeed characters (\f) at line endings in signed plaintext. Anyone using GnuPG versions through 2.4.8 for verifying signed messages is potentially affected.

💻 Affected Systems

Products:

GnuPG
GPG

Versions: All versions through 2.4.8

Operating Systems: Linux, Windows, macOS, BSD, All platforms running GnuPG

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all configurations where GnuPG is used to verify signed messages containing plaintext with formfeed characters.

📦 What is this software?

Gnupg by Gnupg

View all CVEs affecting Gnupg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify signed communications (like software updates, contracts, or security advisories) to include malicious content while appearing to have valid signatures, potentially leading to malware installation or fraudulent agreements.

🟠

Likely Case

Targeted attacks against organizations relying on GnuPG-signed communications where attackers could append misleading information or malicious links to otherwise legitimate signed messages.

🟢

If Mitigated

With proper monitoring and defense-in-depth, the impact is limited as the attack requires specific message manipulation and still produces 'invalid armor' warnings during verification.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept code and detailed analysis are publicly available. Exploitation requires crafting specific messages with formfeed characters but doesn't require authentication to the target system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GnuPG 2.4.9 and later

Vendor Advisory: https://dev.gnupg.org/T7247

Restart Required: No

Instructions:

1. Check current GnuPG version: gpg --version
2. Update using your package manager:
- Ubuntu/Debian: sudo apt update && sudo apt upgrade gnupg
- RHEL/CentOS: sudo yum update gnupg
- macOS: brew upgrade gnupg
3. Verify update: gpg --version should show 2.4.9 or higher

🔧 Temporary Workarounds

Reject messages with formfeed characters

all

Configure GnuPG to reject messages containing formfeed (\f) characters during verification

gpg --verify --no-allow-formfeed signed_message.asc

Use armored signature verification only

all

Only verify armored signatures and avoid plaintext verification

gpg --verify signature.asc

🧯 If You Can't Patch

Implement message validation that strips or rejects formfeed characters before GnuPG processing
Use alternative signature verification tools for critical communications until patching is possible

🔍 How to Verify

Check if Vulnerable:

Run: gpg --version | head -1. If version is 2.4.8 or earlier, you are vulnerable.

Check Version:

gpg --version | head -1

Verify Fix Applied:

After updating, verify version is 2.4.9+: gpg --version | head -1

📡 Detection & Monitoring

Log Indicators:

Multiple 'invalid armor' warnings during signature verification
Unexpected formfeed characters in signed messages

Network Indicators:

Unusual patterns in signed message transfers
Messages with appended content after expected signatures

SIEM Query:

gpg_logs WHERE message CONTAINS 'invalid armor' OR message CONTAINS 'formfeed'

📊 Metadata

CVE ID: CVE-2025-68972

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE: CWE-347

EPSS Score: 0.01% exploit probability (0.3th percentile)

Published: December 27, 2025

Last Updated: January 9, 2026

🔗 References

https://gpg.fail/formfeed Product
https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i Product
https://news.ycombinator.com/item?id=46404339 Issue Tracking
https://gpg.fail/formfeed Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68972, you might also want to check these: