Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10969

node-rsa is vulnerable to Side-channel Attack

Side-channel Attack Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 5 days ago

75

High Risk

This Affects:

JSnode-rsa
0.0.1 - 1.1.1
Fixed in 2.0.0
Are you affected? Scan for Free

TL;DR

The node-rsa library performs RSA encryption, decryption, signing, and verification in JavaScript for Node.js and browser environments. Before the fix, PKCS#1 v1.5 decryption, OAEP decoding, PSS verification, and unblinded private RSA operations leaked timing information that a remote attacker can measure to recover plaintext or private key material. Miller-Rabin primality testing used predictable witnesses, imported CRT private key components were not cross-checked, and several key-import parsers lacked strict validation. The patch rewrites these code paths with constant-time decoding, RSA blinding, CSPRNG-based primality tests, CRT consistency checks, and hardened PKCS#8 and OpenSSH parsing.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

node-rsa is vulnerable to Side-channel Attack in versions 0.0.1 - 1.1.1.

How to fix this

Upgrade the node-rsa library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done