CVE-2022-21208

HIGH

Node-opcua < 2.74.0 - Denial of Service

Title source: rule

Description

The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.

References (4)

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-NODEOPCUA-2988723

[Patch, Third Party Advisory] https://github.com/node-opcua/node-opcua/commit/33ca3bab4ab781392a2f8d8f5a14de9a0aa0e410

[Patch, Third Party Advisory] https://github.com/node-opcua/node-opcua/commit/dbcb5d5191118c22ee9c89332a94b94e6553d76b

[Patch, Third Party Advisory] https://github.com/node-opcua/node-opcua/pull/1149

Scores

CVSS v3 7.5

EPSS 0.0112

EPSS Percentile 78.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-1284

Status published

Products (2)

node-opcua_project/node-opcua < 2.74.0

npm/node-opcua 0 - 2.74.0npm

Published Aug 23, 2022

Tracked Since Feb 18, 2026