CVE-2021-32685: Improper Verification of Cryptographic Signature

June 28, 2021 (updated January 23, 2026)

The verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature of a SHA-512 hash matching the SHA-512 hash of the message even if the signature is invalid.

References

github.com/TogaTech/tEnvoy
github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b
github.com/TogaTech/tEnvoy/releases/tag/v7.0.3
github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m
github.com/advisories/GHSA-7r96-8g3x-g36m
nvd.nist.gov/vuln/detail/CVE-2021-32685

Code Behaviors & Features

Detect and mitigate CVE-2021-32685 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →