Theo's Typesafe Cult•7mo ago

RSA_PKCS1_PADDING is no longer supported for private decryption

Summary I am using the native Node crypto module to decrypt data using the pkcs1 padding scheme in a next.js serverless function. I am getting this error on production deployments. (It is working on local dev environment) The error message says this can be "reverted" but where do i actually pass that argument in a production deployment?

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
at handler (/var/task/.next/server/pages/api/admin/captureUpi.js:99:80)
at Object.apiResolver (/var/task/node_modules/next/dist/server/api-utils/node.js:363:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async NextNodeServer.runApi (/var/task/node_modules/next/dist/server/next-server.js:487:9)
at async Object.fn (/var/task/node_modules/next/dist/server/next-server.js:749:37)
at async Router.execute (/var/task/node_modules/next/dist/server/router.js:253:36)
at async NextNodeServer.run (/var/task/node_modules/next/dist/server/base-server.js:384:29)
at async NextNodeServer.handleRequest (/var/task/node_modules/next/dist/server/base-server.js:322:20)
at async Server.<anonymous> (/var/task/___next_launcher.cjs:26:5) {
code: 'ERR_INVALID_ARG_VALUE'
}
Node.js process exited with exit status: 1. The logs above can help with debugging the issue.
Unknown application error occurred

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
at handler (/var/task/.next/server/pages/api/admin/captureUpi.js:99:80)
at Object.apiResolver (/var/task/node_modules/next/dist/server/api-utils/node.js:363:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async NextNodeServer.runApi (/var/task/node_modules/next/dist/server/next-server.js:487:9)
at async Object.fn (/var/task/node_modules/next/dist/server/next-server.js:749:37)
at async Router.execute (/var/task/node_modules/next/dist/server/router.js:253:36)
at async NextNodeServer.run (/var/task/node_modules/next/dist/server/base-server.js:384:29)
at async NextNodeServer.handleRequest (/var/task/node_modules/next/dist/server/base-server.js:322:20)
at async Server.<anonymous> (/var/task/___next_launcher.cjs:26:5) {
code: 'ERR_INVALID_ARG_VALUE'
}
Node.js process exited with exit status: 1. The logs above can help with debugging the issue.
Unknown application error occurred

Solution:

UPDATE: Found a workaround by using NodeRSA and setting the environment to browser (It will use the node crypto library with the CVE by default) ```typescript import NodeRSA from "node-rsa"; ...

Jump to solution

2 Replies

Rockstaa8055OP•7mo ago

Steps to Reproduce Create an endpoint on next.js and deploy it to vercel

// Next.js API route support: https://nextjs.org/docs/api-routes/introduction
import type { NextApiRequest, NextApiResponse } from "next";
import crypto from "crypto";

type Response = {
  status: number;
  message?: string;
};

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse<Response>,
) {
  const encryptedBody = req.body["encryptedBody"];

  const privateKeyString = Buffer.from(
    process.env.PRIVATE_KEY ?? "",
    "base64",
  ).toString("utf8");

  const privateKey = crypto.createPrivateKey({
    key: privateKeyString,
    format: "pem",
  });

  const decryptedRequestData = crypto
    .privateDecrypt(
      {
        key: privateKey,
        padding: crypto.constants.RSA_PKCS1_PADDING,
      },
      Buffer.from(encryptedBody, "base64"),
    )
    .toString("utf8");

  console.log("decryptedRequestData", decryptedRequestData);

  return res.status(200).json({
    status: 200,
    message: "Success",
  });
}

// Next.js API route support: https://nextjs.org/docs/api-routes/introduction
import type { NextApiRequest, NextApiResponse } from "next";
import crypto from "crypto";

type Response = {
  status: number;
  message?: string;
};

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse<Response>,
) {
  const encryptedBody = req.body["encryptedBody"];

  const privateKeyString = Buffer.from(
    process.env.PRIVATE_KEY ?? "",
    "base64",
  ).toString("utf8");

  const privateKey = crypto.createPrivateKey({
    key: privateKeyString,
    format: "pem",
  });

  const decryptedRequestData = crypto
    .privateDecrypt(
      {
        key: privateKey,
        padding: crypto.constants.RSA_PKCS1_PADDING,
      },
      Buffer.from(encryptedBody, "base64"),
    )
    .toString("utf8");

  console.log("decryptedRequestData", decryptedRequestData);

  return res.status(200).json({
    status: 200,
    message: "Success",
  });
}

Solution

Rockstaa8055•7mo ago

UPDATE: Found a workaround by using NodeRSA and setting the environment to browser (It will use the node crypto library with the CVE by default)

import NodeRSA from "node-rsa";

const privateKeyString = Buffer.from(
  process.env.PRIVATE_KEY ?? "",
  "base64",
).toString("utf8");

const privateKey = new NodeRSA(privateKeyString);
privateKey.setOptions({ encryptionScheme: "pkcs1", environment: "browser" });

const decryptedRequestData = privateKey
  .decrypt(encryptedBody)
  .toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);

import NodeRSA from "node-rsa";

const privateKeyString = Buffer.from(
  process.env.PRIVATE_KEY ?? "",
  "base64",
).toString("utf8");

const privateKey = new NodeRSA(privateKeyString);
privateKey.setOptions({ encryptionScheme: "pkcs1", environment: "browser" });

const decryptedRequestData = privateKey
  .decrypt(encryptedBody)
  .toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);

Gaming

Programming

RSA_PKCS1_PADDING is no longer supported for private decryption