7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-25345

GHSA ID

GHSA-rvgf-69j7-xh78

EPSS Score

0.55417%

CWE

CWE-908

Published

6/18/2022

Updated

9/7/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-25345

CVE-2022-25345: Uncontrolled Resource Consumption in @discordjs/opus

Improperly handled errors in @discordjs/opus cause hard crashes instead of returning the error to user land. All versions of package @discordjs/opus (<= 0.7.0) are vulnerable to Denial of Service (DoS) when trying to encode using an encoder with zero channels, or a non-initialized buffer. This leads to a hard crash due to improperly returning the errors from the invalid inputs.

As of version 0.8.0, the errors are correctly returned to the user and are no longer throwing hard crashes that cannot be recovered.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-25345

CVE-2022-25345:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-25345

GHSA ID

GHSA-rvgf-69j7-xh78

EPSS Score

0.55417%

CWE

CWE-908

Published

6/18/2022

Updated

9/7/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@discordjs/opus	npm	< 0.8.0	0.8.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper error handling in native binding functions. The commit diff shows critical additions of 'return env.Null()' after error throws in Encode/Decode methods. In pre-0.8.0 versions, these functions would throw JS exceptions but continue executing C++ code with invalid encoder/decoder states (e.g., zero channels or null buffers), violating CWE-908 (Use of Uninitialized Resource). The unpatched code paths could access invalid memory when trying to encode/decode without proper initialization checks, causing unrecoverable crashes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-25345: Uncontrolled Resource Consumption in @discordjs/opus

CVE-2022-25345:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2022-25345: Uncontrolled Resource Consumption in @discordjs/opus

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI