Miggo Logo
Miggo Vulnerability Database
CVE-2022-25888

CVE-2022-25888: Uncontrolled Resource Consumption in opcua

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25888
GHSA ID
GHSA-8mx2-gqx9-rm7f
EPSS Score
0.65208%
CWE
CWE-400
Published
8/24/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
opcuarust< 0.11.00.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing resource limits in three key areas: 1) MessageChunk decoding lacked max_message_size checks (CWE-770), 2) TCP transport layer didn't properly enforce max_chunk_count per session (CWE-400), and 3) MessageWriter allowed unlimited chunk generation. The GitHub commit 6fb683c specifically adds these validations in these components, confirming they were previously missing. The functions directly handle message/chunk processing without the critical limits described in the CVE, making them root causes of the resource exhaustion vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** op*u* *rom *.*.* *r* vuln*r**l* to **ni*l o* S*rvi** (*oS) *u* to * missin* limit*tion on t** num**r o* r***iv** **unks - p*r sin*l* s*ssion or in tot*l *or *ll *on*urr*nt s*ssions. *n *tt**k*r **n *xploit t*is vuln*r**ility *y s*n*in* *n

Reasoning

T** vuln*r**ility st*ms *rom missin* r*sour** limits in t*r** k*y *r**s: *) M*ss*****unk ***o*in* l**k** m*x_m*ss***_siz* ****ks (*W*-***), *) T*P tr*nsport l*y*r *i*n't prop*rly *n*or** m*x_**unk_*ount p*r s*ssion (*W*-***), *n* *) M*ss***Writ*r *ll