CVE-2022-25761: 
NixOS vulnerability analysis and mitigation

CVE-2022-25761 affects the open62541/open62541 package versions before 1.2.5 and from 1.3-rc1 to before 1.3.1. The vulnerability was discovered by Team82 (Claroty Research) and was disclosed on August 22, 2022. This security flaw impacts the OPC UA implementation, which is a C-based library used for implementing OPC UA clients and servers (NVD, Snyk).

The vulnerability is classified as a Denial of Service (DoS) issue caused by a missing limitation on the number of received chunks - both per single session and in total for all concurrent sessions. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is tracked under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When exploited, this vulnerability can result in a total loss of availability of the affected system. The impact is particularly severe as it can lead to a sustained denial of service condition while the attack is ongoing, effectively preventing legitimate users from accessing the service (Snyk).

The vulnerability has been fixed in versions 1.2.5 and 1.3.1. The fix includes implementing default limits for chunks and message size, with the maximum message size set to 512 MB and maximum chunk count set to 16k. Users are advised to upgrade to these or later versions (GitHub Commit, GitHub Release).