AIKIDO-2026-10339
node-opcua-certificate-manager is vulnerable to Race condition
31
Low Risk
This Affects:
node-opcua-certificate-managerTL;DR
Affected versions of this package use a single CertificateManager that can be shared by many concurrent clients. When multiple clients concurrently call trustCertificate() for the same previously untrusted server certificate, they race on fs.rename: the first call moves the file from rejected to trusted, and subsequent callers get ENOENT because the source file is already moved. That can leave callers with an error or inconsistent trust state. The patch wraps trustCertificate in a try-catch; on ENOENT it re-checks getTrustStatus and returns Good if the certificate was already trusted by another caller.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
node-opcua-certificate-manager is vulnerable to Race condition in versions 0.0.1 - 2.164.1.
How to fix this
Upgrade the node-opcua-certificate-manager library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant