CVE-2025-54364

NameCVE-2025-54364
DescriptionMicrosoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. option_descriptions employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1111774

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
knack (PTS)bullseye0.8.0~rc2-1vulnerable
bookworm0.10.1-1vulnerable
trixie0.12.0-2vulnerable
forky, sid0.13.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
knacksource(unstable)(unfixed)unimportant1111774

Notes

https://github.com/microsoft/knack/issues/281
Negligible security impact; disputed as security issue upstream in context
of its use by Azure CLI
Search for package or bug name: Reporting problems