CVE-2025-54363
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-08-20
Last updated on: 2025-08-21
Assigner: MITRE
Description
Description
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | knack | 0.12.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular expression Denial of Service (ReDoS) issue in the knack.introspection module of Microsoft Knack version 0.12.0. It allows an attacker to exploit the way regular expressions are processed, potentially causing the system to become unresponsive or slow down significantly.
How can this vulnerability impact me? :
The vulnerability can lead to denial of service conditions by making the affected system consume excessive resources when processing certain regular expressions, resulting in degraded performance or unavailability of services.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70