Hkario

**Name of the Vulnerable Software and Affected Versions** Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched **Description** The issue is related to the use of hidden side channels in the PrivateDecrypt() function of the Node.js cryptographic library, due to a timing discrepancy in the decryption of valid and invalid encrypted texts based on the PKCS#1 v1.5 cryptography standard. This allows a remote attacker to implement a Bleichenbacher or Marvin attack. The vulnerability is exploited when PKCS #1 v1.5 padding is allowed during RSA decryption using a private key. **Recommendations** As a temporary workaround, consider disabling the use of PKCS #1 v1.5 padding when performing RSA decryption using a private key until a patch is available. Restrict access to the PrivateDecrypt() function to minimize the risk of exploitation. Avoid using the `PrivateDecrypt()` function with unpatched versions of OpenSSL until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.