Impact
The GetEndpoints Discovery Service in open62541 does not validate the length of the endpointUrl field in a GetEndpointsRequest. An unauthenticated attacker who can reach the server can supply an arbitrarily large string—up to roughly 4.09 GB via the UInt32 length field—arriving in many small network fragments. Because the server concatenates all fragments in RAM without a final delimiter and without an upper bound on buffer size, it will continue to consume memory until the SecureChannel times out. This pre‑session, encryption‑bypass attack results in a denial of service by exhausting server memory and potentially causing a crash or severe slowdown. The weakness is a classic lack of input validation that leads to uncontrolled memory use, properly classified under CWE‑770 and CWE‑789.
Affected Systems
The vulnerability affects the open62541 project, shipped by o6 Automation GmbH, in all releases from 1.4.0 up through 1.4.16, from 1.5.0 up through 1.5.4, and on the master branch. Users employing those specific versions of the open62541 library should review their deployments for exposure.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity with a large potential impact on application availability. The EPSS score is not reported, so the likelihood of exploitation cannot be quantified from available data, but the vulnerability is reachable via unauthenticated network traffic and bypasses encryption, making it attractive for attackers who wish to disrupt OPC UA services. It is not currently listed in the CISA KEV catalog, which suggests no high‑profile exploit has been observed yet, but the vulnerability remains a legitimate threat to any exposed open62541 instance.
OpenCVE Enrichment