CVE-2022-21208: Uncontrolled Resource Consumption in node-opcua
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.29944%
CWE
Published
8/24/2022
Updated
1/28/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
node-opcua | npm | < 2.74.0 | 2.74.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from missing chunk size/count limitations in message processing. The patch added: 1) maxChunkCount/maxMessageSize checks in MessageBuilderBase 2) maxChunkSize validation in PacketAssembler 3) Transport limit propagation to MessageBuilder in SecureChannel layers. The vulnerable functions directly handled chunk processing without these critical resource controls, enabling DoS via oversized/unlimited chunks.