CVE-2025-54363

20.08.2025, 03:15

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
mitre	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Debian Releases

Debian Product

Codename

knack

bullseye	postponed
trixie	no-dsa
bookworm	no-dsa
forky	vulnerable
sid	vulnerable

Common Weakness Enumeration

CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

https://github.com/microsoft/knack

https://github.com/microsoft/knack/issues/281

https://www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dos