Miggo Logo
Miggo Vulnerability Database
CVE-2022-25903

CVE-2022-25903: opcua Vulnerable to Out-of-bounds Write

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25903
GHSA ID
GHSA-hgxq-hcrm-c5pm
EPSS Score
0.6804%
CWE
CWE-787
Published
8/25/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
opcuarust< 0.11.00.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing recursion depth validation during deserialization of ExtensionObjects and Variants. The GitHub commit e75dada explicitly adds depth_lock() calls in these exact locations to prevent stack overflows. Before the patch, these decoding functions would recursively process nested structures without limiting call stack growth, making them the clear attack surface for CWE-787 exploitation via excessive nesting.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** op*u* *rom *.*.* until *.**.* is vuln*r**l* to **ni*l o* S*rvi** (*oS) vi* t** *xt*nsionO*j**ts *n* V*ri*nts o*j**ts, w**n it *llows unlimit** n*stin* l*v*ls, w*i** *oul* r*sult in * st**k ov*r*low *v*n i* t** m*ss*** siz* is l*ss t**n t*

Reasoning

T** vuln*r**ility st*ms *rom missin* r**ursion **pt* v*li**tion *urin* **s*ri*liz*tion o* *xt*nsionO*j**ts *n* V*ri*nts. T** *it*u* *ommit ******* *xpli*itly ***s **pt*_lo*k() **lls in t**s* *x**t lo**tions to pr*v*nt st**k ov*r*lows. ***or* t** p*t*