Vulnerability Description
Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). This issue has been patched in version 3.1.4. As a workaround, avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Switcherapi | Switcher Client | < 3.1.4 |
Related Weaknesses (CWE)
References
- https://github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4Release Notes
- https://github.com/switcherapi/switcher-client-master/security/advisories/GHSA-wVendor Advisory
- https://github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4Release Notes
- https://github.com/switcherapi/switcher-client-master/security/advisories/GHSA-wVendor Advisory
FAQ
What is CVE-2023-23925?
CVE-2023-23925 is a vulnerability with a CVSS score of 8.6 (HIGH). Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expr...
How severe is CVE-2023-23925?
CVE-2023-23925 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-23925?
Check the references section above for vendor advisories and patch information. Affected products include: Switcherapi Switcher Client.