node-opcua DoS when bypassing limitations for excessive memory consumption

Severity:: High

Description

The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

Recommendation

Update the node-opcua package to the latest compatible version. Followings are version details:

Affected version(s): < 2.74.0
Patched version(s): 2.74.0

References

GHSA-vh4f-fgpp-x8x2
security.snyk.io
CVE-2022-24375
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
Uncontrolled Resource Consumption in node-opcua - CVE-2022-21208
Improper handling of multiline messages in node-irc affects matrix-appservice-irc - CVE-2022-29166
URL Confusion When Scheme Not Supplied in medialize/uri.js - CVE-2022-1233

Tags:: npm; node-opcua

Anything's wrong? Let us know Last updated on January 30, 2023