Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23925: Regular Expression Denial of Service (ReDoS)

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). This issue has been patched in version 3.1.4. As a workaround, avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

CVE
Open in Source
#dos#nodejs#java

Package

npm switcher-client (npm)

Affected versions

< 3.1.3

Description

Impact

Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

Patches

No fix is available yet. All versions are impacted < 3.1.3.

Workarounds

Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

References

CWE-400: Uncontrolled Resource Consumption
CAPEC-492: Regular Expression Exponential Blowup

Related news

GHSA-wqxw-8h5g-hq56: Switcher Client contains Regular Expression Denial of Service (ReDoS)

### Impact Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). ### Patches Patched in 3.1.4 ### Workarounds Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE