Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
[
{
"defaultStatus": "unaffected",
"vendor": "Node",
"product": "https://github.com/nodejs/node",
"versions": [
{
"version": "21.6.0",
"status": "affected",
"lessThanOrEqual": "21.6.0",
"versionType": "semver"
},
{
"version": "20.11.0",
"status": "affected",
"lessThanOrEqual": "20.11.0",
"versionType": "semver"
},
{
"version": "18.19.0",
"status": "affected",
"lessThanOrEqual": "18.19.0",
"versionType": "semver"
}
]
}
]