CVE-2022-24375: 
JavaScript vulnerability analysis and mitigation

CVE-2022-24375 affects node-opcua versions before 2.74.0, a JavaScript and Node.js implementation of an OPC UA stack. The vulnerability was discovered by Vera Mens, Uri Katz, and Sharon Brizinov of Team82 (Claroty Research) and was disclosed on August 22, 2022 (Snyk).

The vulnerability allows attackers to cause a Denial of Service (DoS) condition by bypassing limitations for excessive memory consumption. This is achieved by sending multiple CloseSession requests with the deleteSubscription parameter set to False. The vulnerability has a CVSS v3.1 base score of 7.5 (High), with Network attack vector, Low attack complexity, and No privileges required. The vulnerability primarily impacts system availability while maintaining unchanged scope and no impact on confidentiality or integrity (Snyk).

When successfully exploited, the vulnerability results in a total loss of availability, allowing attackers to fully deny access to resources in the impacted component. The loss can be either sustained while the attack continues or persistent even after the attack has completed. The attack can prevent the service from functioning properly by causing excessive memory consumption (Snyk).

The recommended mitigation is to upgrade node-opcua to version 2.74.0 or higher, which contains the fix for this vulnerability (Snyk).