AIKIDO-2026-10340
node-opcua-secure-channel is vulnerable to Race condition
31
Low Risk
This Affects:
node-opcua-secure-channelTL;DR
Affected versions of this package use asynchronous transport disconnection during connection setup in ClientSecureChannelLayer. Under connection break or teardown, that allowed a race where _backoff_completion was invoked with undefined instead of the cancellation error, leading to false successful connection paths and internal assertion errors. The application could believe the channel was still valid when the transport was already disconnected. The patch reverts to synchronous disposal (abortConnection then dispose) and corrects _backoff_completion to propagate the cancellation error so connection state stays consistent.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
node-opcua-secure-channel is vulnerable to Race condition in versions 0.0.1 - 2.164.1.
How to fix this
Upgrade the node-opcua-secure-channel library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant