Control: tags -1 -security Control: tags -1 wontfix Control: close -1 On Thu, 21 Aug 2025 21:48:51 +0200 Salvatore Bonaccorso <[email protected]> wrote: > Source: knack > Version: 0.12.0-2 > Severity: important > Tags: security upstream > Forwarded: https://github.com/microsoft/knack/issues/281 > X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> > > Hi, > > The following vulnerabilities were published for knack. > > CVE-2025-54363[0]: > | Microsoft Knack 0.12.0 allows Regular expression Denial of Service > | (ReDoS) in the knack.introspection module. > | extract_full_summary_from_signature employs an inefficient regular > | expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible > | to catastrophic backtracking when processing crafted docstrings > | containing a large volume of whitespace without a terminating colon. > | An attacker who can control or inject docstring content into > | affected applications can trigger excessive CPU consumption. This > | software is used by Azure CLI. > > > CVE-2025-54364[1]: > | Microsoft Knack 0.12.0 allows Regular expression Denial of Service > | (ReDoS) in the knack.introspection module. option_descriptions > | employs an inefficient regular expression pattern: > | "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic > | backtracking when processing crafted docstrings containing a large > | volume of whitespace without a terminating colon. An attacker who > | can control or inject docstring content into affected applications > | can trigger excessive CPU consumption. This software is used by > | Azure CLI. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-54363 > https://www.cve.org/CVERecord?id=CVE-2025-54363 > [1] https://security-tracker.debian.org/tracker/CVE-2025-54364 > https://www.cve.org/CVERecord?id=CVE-2025-54364 > [2] https://github.com/microsoft/knack/issues/281 > > Please adjust the affected versions in the BTS as needed.
Hi, As per: https://github.com/microsoft/knack/issues/281#issuecomment-3218922941 these CVEs have been withdrawn: https://github.com/advisories/GHSA-6fxp-p9mg-q64w https://github.com/advisories/GHSA-xh9h-692f-mmg4 as the affected code only affects some documentation parsing, so it's not part of the threat model of the package. Closing accordingly.
