Node.js Compatibility with Eufy Security Plugin - homebridge-eufy-security/plugin GitHub Wiki
Last updated: February 2026 — Node.js 24.5.0+ restores PKCS1 padding support ✅
Executive Summary
Eufy Security devices use a legacy cryptographic protocol (RSA_PKCS1_PADDING) for livestream/P2P communication. Several Node.js LTS versions removed support for this protocol as part of an OpenSSL security fix (CVE-2023-46809), breaking streaming only — all other plugin features continue to work normally.
Node.js 24.5.0+ restores compatibility by re-enabling PKCS1 padding with implicit rejection (a safe implementation). Users now have two recommended paths: stay on 20.11.0 for proven stability, or upgrade to ≥ 24.5.0 for the latest features with full streaming support.
Compatibility Matrix (LTS versions)
| Node.js LTS | Versions | Streaming | Recommendation |
|---|---|---|---|
| v18 | ≤ 18.19.0 | ✅ Works | End of life — migrate to v20 or v24 |
| v18 | ≥ 18.19.1 | ❌ Broken | Downgrade to 18.19.0 or switch to 20.11.0 |
| v20 | ≤ 20.11.0 | ✅ Works | Recommended stable version |
| v20 | ≥ 20.11.1 | ❌ Broken | Downgrade to 20.11.0 |
| v22 | All | ❌ Broken | Switch to 20.11.0 or upgrade to 24.5.0+ |
| v24 | < 24.5.0 | ❌ Broken | Upgrade to 24.5.0+ |
| v24 | ≥ 24.5.0 | ✅ Works | Recommended for latest features 🎉 |
Only streaming is affected. Motion detection, sensors, locks, doorbell notifications, arming/disarming, and device status all work on any Node.js version.
What's the problem?
Eufy Security devices use RSA PKCS#1 v1.5 padding (RSA_PKCS1_PADDING) for encrypting P2P livestream communication. This is a legacy cryptographic standard.
Starting with certain Node.js patch releases, OpenSSL security updates removed support for RSA_PKCS1_PADDING as part of a fix for CVE-2023-46809. Since Eufy's device firmware relies on this padding scheme, the plugin can no longer decrypt livestream data on affected Node.js versions.
Key points
- The root cause is in Eufy's device firmware, not in the plugin or the eufy-security-client library.
- The firmware uses deprecated cryptographic protocols that cannot be updated by plugin maintainers.
- Node.js 24.5.0 (released 2025) re-enables PKCS1 padding with implicit rejection support via OpenSSL updates, restoring compatibility.
Affected vs. Unaffected Protocols
| What Eufy uses (legacy) | Modern alternative |
|---|---|
| RSA_PKCS1_PADDING (v1.5) | RSA-OAEP (PKCS#1 v2.2) |
| AES-ECB mode | AES-GCM / AES-CBC with HMAC |
| Static key derivation from serial numbers | Ephemeral keys with Perfect Forward Secrecy |
Solutions
Option 1: Use Node.js 20.11.0 (Recommended for stability)
This is the most reliable option for users who need streaming.
# For Homebridge users
sudo hb-service update-node 20.11.0
Option 2: Upgrade to Node.js ≥ 24.5.0 (Recommended for latest features)
Node.js 24.5.0+ restores PKCS1 padding support through updated OpenSSL. This is the forward-looking solution.
# For Homebridge users
sudo hb-service update-node 24.5.0
How to verify your setup
1. Check your Node.js version
node -v
2. Check OpenSSL version
node -e "console.log(process.versions.openssl)"
3. Check for errors in plugin logs
Look for messages like:
[EufySecurity] ERROR: RSA_PKCS1_PADDING is no longer supported
or P2P connection timeouts during livestream attempts.
4. Test streaming
After switching Node.js versions, restart Homebridge and attempt a livestream from the Home app to confirm it works.
FAQ
Why does streaming still work on macOS with newer Node.js?
macOS ships with legacy OpenSSL 1.1.x libraries at /usr/lib/libcrypto.35.dylib and /usr/lib/libssl.35.dylib. These retain backward compatibility for PKCS1 padding even when Node.js bundles a newer OpenSSL. This is platform-specific and does not apply to Linux.
Does this affect all plugin features?
No. Only livestream and P2P streaming features are affected. Everything else — motion detection, entry sensors, locks, doorbell notifications, arming/disarming, device status — works normally on any Node.js version.
What changed in Node.js 24.5.0?
Node.js 24.5.0 ships with an updated OpenSSL that re-enables RSA_PKCS1_PADDING with implicit rejection (a safe way to support the legacy padding without reintroducing the original vulnerability). This restores full compatibility with Eufy's P2P protocol.
Will this be permanently fixed?
A permanent fix requires Eufy to update their device firmware to use modern cryptographic protocols (RSA-OAEP). This is outside the control of plugin maintainers. In the meantime:
- Short-term: Use Node.js 20.11.0 or ≥ 24.5.0
- Long-term: Requires action from Eufy/Anker
Where can I track progress?
- eufy-security-client #487 — Client library tracking
- Node.js #55628 — Node.js discussion
- homebridge-eufy-security #548 — Plugin tracking