CVE-2025-54363

20.08.2025, 03:15

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
mitre	CNA	---	---
CISA-ADP	ADP	---	---

Base Score

CVSS 3.x

EPSS Score

Percentile: 71%

Debian Releases

Debian Product

Codename

knack

bullseye	unimportant
bookworm	unimportant
trixie	unimportant
forky	unimportant
sid	unimportant

Common Weakness Enumeration

CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

https://github.com/microsoft/knack

https://github.com/microsoft/knack/issues/281

https://www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dos