Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key.
{ "cpes": [ "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*" ], "severity": "High" }