Impact

Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

Patches

Patched in 3.1.4

Workarounds

Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

References

• GHSA-wqxw-8h5g-hq56
• https://nvd.nist.gov/vuln/detail/CVE-2023-23925
• https://github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4
• switcherapi/switcher-client-js@3747525