VYPR
Medium severityGHSA Advisory· Published Aug 20, 2025· Updated Apr 15, 2026

CVE-2025-54363

CVE-2025-54363

Description

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
knackPyPI
<= 0.12.0

Affected products

18

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.