node-opcua DoS when bypassing limitations for excessive memory consumption

Severity:: High

Description

The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

Recommendation

Update the node-opcua package to the latest compatible version. Followings are version details:

Affected version(s): < 2.74.0
Patched version(s): 2.74.0

References

GHSA-vh4f-fgpp-x8x2
security.snyk.io
CVE-2022-24375
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388
MongoDB Shell may be susceptible to control character injection via pasting - CVE-2025-1692
Strapi's field level permissions not being respected in relationship title - CVE-2023-37263
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS - CVE-2024-45812

Tags:: npm; node-opcua

Anything's wrong? Let us know Last updated on January 30, 2023