GHSA-8h58-w33p-wq3g: rPGP affected by crash in message handling for deeply nested messages

February 13, 2026

Previous rPGP versions could be caused to crash with a “stack overflow” when parsing messages that contain deeply nested message layers, such as messages with many signatures.

rPGP 0.19.0 resolves this issue with a more robust message handling implementation (via https://github.com/rpgp/rpgp/pull/625).

References

github.com/advisories/GHSA-8h58-w33p-wq3g
github.com/rpgp/rpgp
github.com/rpgp/rpgp/commit/e82f2c7494ba277d62fd372d69b2c008473bbef8
github.com/rpgp/rpgp/pull/625
github.com/rpgp/rpgp/security/advisories/GHSA-8h58-w33p-wq3g

Code Behaviors & Features

Detect and mitigate GHSA-8h58-w33p-wq3g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →