Use of RSA Algorithm without OAEP

Description

This vulnerability occurs when an application implements RSA encryption but fails to use Optimal Asymmetric Encryption Padding (OAEP), significantly weakening the cryptographic protection.

Extended Description

RSA encryption on its own has mathematical properties that make raw, unpadded messages vulnerable to analysis. Attackers can exploit these patterns to decrypt data without the private key. OAEP adds a layer of random padding before encryption, making every output unique and unpredictable, which is essential for secure RSA implementation in practice. Without OAEP, encrypted data is far easier to compromise, especially in scenarios involving repeated or predictable messages. While SAST tools can detect this insecure pattern, managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack, using AI to suggest the specific code fixes needed to implement OAEP correctly.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Without OAEP in RSA encryption, it will take less work for an attacker to decrypt the data or to infer patterns from the ciphertext.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Demonstrative Examples 1

The example below attempts to build an RSA cipher.

Code Example:Bad
Java
java

While the previous code successfully creates an RSA cipher, the cipher does not use padding. The following code creates an RSA cipher using OAEP.

Code Example:Good
Java
java

References 2

RSA Problem

Ronald L. Rivest and Burt Kaliski

10-12-2003

https://people.csail.mit.edu/rivest/pubs/RK03.prepub.pdf(2025-07-29)

ID: REF-694

Optimal Asymmetric Encryption Padding

Wikipedia

08-07-2009

https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding(2023-04-07)

ID: REF-695

Likelihood of Exploit

Medium

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Use of a Broken or Risky Cryptographic Algorithm (CWE-327)

Notes

MaintenanceThis entry could probably have a new parent related to improper padding, however the role of padding in cryptographic algorithms can vary, such as hiding the length of the plaintext and providing additional random bits for the cipher. In general, cryptographic problems in CWE are not well organized and further research is needed.