CVE-2022-25903: opcua Vulnerable to Out-of-bounds Write

August 25, 2022 (updated September 1, 2022)

The package opcua from 0.0.0 until 0.11.0 is vulnerable to Denial of Service (DoS) via the ExtensionObjects and Variants objects, when it allows unlimited nesting levels, which could result in a stack overflow even if the message size is less than the maximum allowed.

References

github.com/advisories/GHSA-hgxq-hcrm-c5pm
github.com/locka99/opcua
github.com/locka99/opcua/pull/216
github.com/locka99/opcua/pull/216/commits/e75dada28a40c3fefc4aeee4cdc272e1b748f8dd
nvd.nist.gov/vuln/detail/CVE-2022-25903
security.snyk.io/vuln/SNYK-RUST-OPCUA-2988750

Detect and mitigate CVE-2022-25903 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →