Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
[
{
"cpes": [
"cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"
],
"vendor": "nodejs",
"product": "nodejs",
"versions": [
{
"status": "affected",
"version": "18.0",
"versionType": "semver",
"lessThanOrEqual": "18.19.0"
},
{
"status": "affected",
"version": "20.0",
"versionType": "semver",
"lessThanOrEqual": "20.11.0"
},
{
"status": "affected",
"version": "21.0",
"versionType": "semver",
"lessThanOrEqual": "21.6.0"
}
],
"defaultStatus": "unaffected"
}
]