CVE-2025-54363

Enriched by CISA
 

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "s(:param)s+(.+?)s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.
https://nvd.nist.gov/vuln/detail/CVE-2025-54363

Categories

CWE-1333 : Inefficient Regular Expression Complexity
Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match.

References


 

AFFECTED (from MITRE)

Vendor Product Versions
Microsoft Knack
  • 0.12.0 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
492 Regular Expression Exponential Blowup