Medium severityGHSA Advisory· Published Aug 20, 2025· Updated Apr 15, 2026
CVE-2025-54363
CVE-2025-54363
Description
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
knackPyPI | <= 0.12.0 | — |
Affected products
18- osv-coords17 versionspkg:apk/chainguard/azpkg:apk/chainguard/az-iamguarded-compatpkg:apk/chainguard/py3.10-knackpkg:apk/chainguard/py3.11-knackpkg:apk/chainguard/py3.12-knackpkg:apk/chainguard/py3.13-knackpkg:apk/chainguard/py3-knackpkg:apk/chainguard/py3-supported-knackpkg:apk/wolfi/azpkg:apk/wolfi/az-iamguarded-compatpkg:apk/wolfi/py3.10-knackpkg:apk/wolfi/py3.11-knackpkg:apk/wolfi/py3.12-knackpkg:apk/wolfi/py3.13-knackpkg:apk/wolfi/py3-knackpkg:apk/wolfi/py3-supported-knackpkg:pypi/knack
< 2.79.0-r0+ 16 more
- (no CPE)range: < 2.79.0-r0
- (no CPE)range: < 2.79.0-r0
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 2.79.0-r0
- (no CPE)range: < 2.79.0-r0
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: < 0.12.0-r3
- (no CPE)range: <= 0.12.0
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.