Medium severityGHSA Advisory· Published Aug 20, 2025· Updated Apr 15, 2026

CVE-2025-54364

Description

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. option_descriptions employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
knackPyPI	<= 0.12.0	—

Affected products

Microsoft/KnackGHSA
Range: <= 0.12.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-xh9h-692f-mmg4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-54364ghsaADVISORY
github.com/microsoft/knack/issues/281ghsaWEB
github.com/microsoft/knack/issues/281ghsaWEB
www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dosnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000