Description
The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
Recommendation
Update the node-opcua package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.74.0
- Patched version(s): 2.74.0
References
Related Issues
- node-opcua DoS when bypassing limitations for excessive memory consumption - CVE-2022-24375
- Uncontrolled Resource Consumption in markdown-it - CVE-2022-21670
- node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit - CVE-2022-25231
- Uncontrolled resource consumption in jpeg-js - CVE-2020-8175
- Tags:
- npm
- node-opcua
Anything's wrong? Let us know Last updated on January 28, 2023