RSA_PKCS1_PADDING is no longer supported for private decryption

Summary I am using the native Node crypto module to decrypt data using the pkcs1 padding scheme in a next.js serverless function. I am getting this error on production deployments. (It is working on local dev environment) The error message says this can be "reverted" but where do i actually pass that argument in a production deployment?
TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
at handler (/var/task/.next/server/pages/api/admin/captureUpi.js:99:80)
at Object.apiResolver (/var/task/node_modules/next/dist/server/api-utils/node.js:363:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async NextNodeServer.runApi (/var/task/node_modules/next/dist/server/next-server.js:487:9)
at async Object.fn (/var/task/node_modules/next/dist/server/next-server.js:749:37)
at async Router.execute (/var/task/node_modules/next/dist/server/router.js:253:36)
at async NextNodeServer.run (/var/task/node_modules/next/dist/server/base-server.js:384:29)
at async NextNodeServer.handleRequest (/var/task/node_modules/next/dist/server/base-server.js:322:20)
at async Server.<anonymous> (/var/task/___next_launcher.cjs:26:5) {
code: 'ERR_INVALID_ARG_VALUE'
}
Node.js process exited with exit status: 1. The logs above can help with debugging the issue.
Unknown application error occurred
TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
at Object.privateDecrypt (node:internal/crypto/cipher:79:12)
at handler (/var/task/.next/server/pages/api/admin/captureUpi.js:99:80)
at Object.apiResolver (/var/task/node_modules/next/dist/server/api-utils/node.js:363:15)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async NextNodeServer.runApi (/var/task/node_modules/next/dist/server/next-server.js:487:9)
at async Object.fn (/var/task/node_modules/next/dist/server/next-server.js:749:37)
at async Router.execute (/var/task/node_modules/next/dist/server/router.js:253:36)
at async NextNodeServer.run (/var/task/node_modules/next/dist/server/base-server.js:384:29)
at async NextNodeServer.handleRequest (/var/task/node_modules/next/dist/server/base-server.js:322:20)
at async Server.<anonymous> (/var/task/___next_launcher.cjs:26:5) {
code: 'ERR_INVALID_ARG_VALUE'
}
Node.js process exited with exit status: 1. The logs above can help with debugging the issue.
Unknown application error occurred
Solution:
UPDATE: Found a workaround by using NodeRSA and setting the environment to browser (It will use the node crypto library with the CVE by default) ```typescript import NodeRSA from "node-rsa"; ...
Jump to solution
2 Replies
Rockstaa8055
Rockstaa80553mo ago
Steps to Reproduce Create an endpoint on next.js and deploy it to vercel
// Next.js API route support: https://nextjs.org/docs/api-routes/introduction
import type { NextApiRequest, NextApiResponse } from "next";
import crypto from "crypto";

type Response = {
status: number;
message?: string;
};

export default async function handler(
req: NextApiRequest,
res: NextApiResponse<Response>,
) {
const encryptedBody = req.body["encryptedBody"];

const privateKeyString = Buffer.from(
process.env.PRIVATE_KEY ?? "",
"base64",
).toString("utf8");

const privateKey = crypto.createPrivateKey({
key: privateKeyString,
format: "pem",
});

const decryptedRequestData = crypto
.privateDecrypt(
{
key: privateKey,
padding: crypto.constants.RSA_PKCS1_PADDING,
},
Buffer.from(encryptedBody, "base64"),
)
.toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);

return res.status(200).json({
status: 200,
message: "Success",
});
}
// Next.js API route support: https://nextjs.org/docs/api-routes/introduction
import type { NextApiRequest, NextApiResponse } from "next";
import crypto from "crypto";

type Response = {
status: number;
message?: string;
};

export default async function handler(
req: NextApiRequest,
res: NextApiResponse<Response>,
) {
const encryptedBody = req.body["encryptedBody"];

const privateKeyString = Buffer.from(
process.env.PRIVATE_KEY ?? "",
"base64",
).toString("utf8");

const privateKey = crypto.createPrivateKey({
key: privateKeyString,
format: "pem",
});

const decryptedRequestData = crypto
.privateDecrypt(
{
key: privateKey,
padding: crypto.constants.RSA_PKCS1_PADDING,
},
Buffer.from(encryptedBody, "base64"),
)
.toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);

return res.status(200).json({
status: 200,
message: "Success",
});
}
Solution
Rockstaa8055
Rockstaa80553mo ago
UPDATE: Found a workaround by using NodeRSA and setting the environment to browser (It will use the node crypto library with the CVE by default)
import NodeRSA from "node-rsa";

const privateKeyString = Buffer.from(
process.env.PRIVATE_KEY ?? "",
"base64",
).toString("utf8");

const privateKey = new NodeRSA(privateKeyString);
privateKey.setOptions({ encryptionScheme: "pkcs1", environment: "browser" });

const decryptedRequestData = privateKey
.decrypt(encryptedBody)
.toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);
import NodeRSA from "node-rsa";

const privateKeyString = Buffer.from(
process.env.PRIVATE_KEY ?? "",
"base64",
).toString("utf8");

const privateKey = new NodeRSA(privateKeyString);
privateKey.setOptions({ encryptionScheme: "pkcs1", environment: "browser" });

const decryptedRequestData = privateKey
.decrypt(encryptedBody)
.toString("utf8");

console.log("decryptedRequestData", decryptedRequestData);