Home > Vulnerability Database > CVE-2023-23925

Mend.io Vulnerability Database

CVE-2023-23925

Good to know:

Date: February 3, 2023

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS). This issue has been patched in version 3.1.4. As a workaround, avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

Language: JS

Severity Score

7.5

Related Resources (4)

Url: https://github.com/switcherapi/switcher-client-master/security/advisories/GHSA-wqxw-8h5g-hq56

Url: https://github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-23925

Url: https://www.mend.io/vulnerability-database/CVE-2023-23925

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version switcher-client - 3.1.4

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-23925

Good to know:

Date: February 3, 2023

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?