The jwcrypto implementation of the RSA1_5 algorithm was found vulnerable to the Million Message Attack described in RFC 3128.
A timing attack could be leveraged against the implementation to detect when a chosen ciphertext generates a valid header and padding because invalid header/padding generates a code exception and cryptographic operations are terminated earlier resulting in faster processing measurable over the network.
Many thanks to Dennis Detering dennis.detering@rub.de for discovering and reporting this vulnerability.