CVE-2023-23925 Information

Feb 05, 2023 cve

Description

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST) where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). This issue has been patched in version 3.1.4. As a workaround avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

Reference

https://github.com/switcherapi/switcher-client-master/security/advisories/GHSA-wqxw-8h5g-hq56 https://github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4

Share on: