Source: knack Version: 0.12.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/microsoft/knack/issues/281 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for knack. CVE-2025-54363[0]: | Microsoft Knack 0.12.0 allows Regular expression Denial of Service | (ReDoS) in the knack.introspection module. | extract_full_summary_from_signature employs an inefficient regular | expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible | to catastrophic backtracking when processing crafted docstrings | containing a large volume of whitespace without a terminating colon. | An attacker who can control or inject docstring content into | affected applications can trigger excessive CPU consumption. This | software is used by Azure CLI. CVE-2025-54364[1]: | Microsoft Knack 0.12.0 allows Regular expression Denial of Service | (ReDoS) in the knack.introspection module. option_descriptions | employs an inefficient regular expression pattern: | "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic | backtracking when processing crafted docstrings containing a large | volume of whitespace without a terminating colon. An attacker who | can control or inject docstring content into affected applications | can trigger excessive CPU consumption. This software is used by | Azure CLI. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-54363 https://www.cve.org/CVERecord?id=CVE-2025-54363 [1] https://security-tracker.debian.org/tracker/CVE-2025-54364 https://www.cve.org/CVERecord?id=CVE-2025-54364 [2] https://github.com/microsoft/knack/issues/281 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
