When parsing untrusted rulex expressions, rulex may crash, possibly enabling a Denial of Service attack. This happens when the expression contains a multi-byte UTF-8 code point in a string literal or after a backslash, because rulex tries to slice into the code point and panics as a result.
This is a security concern for you, if
The crashes are fixed in version 0.4.3. Affected users are advised to update to this version.
You can use catch_unwind
to recover from panics.
If you have any questions or comments about this advisory:
Credit for finding these bugs goes to