CVE-2020-14967

Vulnerability

Overview

CVE-2020-14967 affects the jsrsasign cryptographic library for Node.js [1]. The RSA PKCS1 v1.5 decryption function fails to detect ciphertext modification when an attacker prepends \0 bytes to a legitimate ciphertext. The library will accept and decrypt the altered ciphertext without raising an error, which violates the strictness expected of a secure PKCS1-v1.5 implementation [2].

Exploitation

Scenario

An adversary can take a valid RSA-encrypted ciphertext, prepend one or more null bytes, and then feed that modified blob into the decryption routine. Because the library does not check for leading zero bytes, it proceeds with decryption as if the input were well-formed [2]. This kind of manipulation does not require network access to encrypted channels if the attacker can supply crafted ciphertexts to an application using the vulnerable library. The attack surface is any Node.js service that uses jsrsasign for RSA decryption and accepts external ciphertext input.

Impact

The primary impact is the bypass of ciphertext integrity checks. An attacker might use this primitive to trigger memory corruption or other undefined behavior in the decryption process [1]. While the vendor notes that the Marvin attack (a timing side-channel against PKCS#1 v1.5) is a separate concern, the acceptance of malformed ciphertexts undermines the security properties of RSA encryption as specified in RFC 8017 [2].

Mitigation

The issue is fixed in jsrsasign version 8.0.18 and later [1]. Users should upgrade immediately. The library removed RSA and RSAOAEP encryption/decryption support in version 11.0.0 precisely because of Marvin attack vulnerability [3]. The project is scheduled for end-of-life on 3 June 2026 [4]; users are encouraged to migrate to alternative cryptographic libraries that offer modern, side-channel-resistant RSA schemes.