CVE-2026-34939
ReDoS Vulnerability in PraisonAI MCPToolIndex Causes Service Outage
Publication date: 2026-04-03
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.5.90 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in PraisonAI versions prior to 4.5.90, specifically in the MCPToolIndex.search_tools() function. This function takes a string input from the caller and compiles it directly as a Python regular expression without any validation, sanitization, or timeout controls.
An attacker can craft a malicious regular expression that causes catastrophic backtracking in the Python regex engine. This leads to the Python thread being blocked for hundreds of seconds, resulting in a complete service outage.
The issue was fixed in version 4.5.90 of PraisonAI.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition by blocking the Python thread for an extended period due to catastrophic backtracking in the regex engine.
As a result, the affected PraisonAI service can become completely unavailable, leading to service outages and disruption of normal operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade PraisonAI to version 4.5.90 or later, where the issue has been patched.