node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit

Severity:: High

Description

The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.

Recommendation

Update the node-opcua package to the latest compatible version. Followings are version details:

Affected version(s): < 2.74.0
Patched version(s): 2.74.0

References

GHSA-qpgc-xh7j-52q8
security.snyk.io
CVE-2022-25231
CWE-770
CAPEC-310
OWASP 2021-A6

Related Issues

node-opcua DoS when bypassing limitations for excessive memory consumption - CVE-2022-24375
Uncontrolled Resource Consumption in node-opcua - CVE-2022-21208
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - CVE-2025-12816
libp2p DoS vulnerability from lack of resource management - CVE-2022-23487

Tags:: npm; node-opcua

Anything's wrong? Let us know Last updated on January 30, 2023