GMS-2023-233: Switcher Client contains Regular Expression Denial of Service (ReDoS)

February 2, 2023

Impact

Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).

Patches

Patched in 3.1.4

Workarounds

Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.

References

github.com/advisories/GHSA-wqxw-8h5g-hq56
github.com/switcherapi/switcher-client-master/security/advisories/GHSA-wqxw-8h5g-hq56

Detect and mitigate GMS-2023-233 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →