CVE-2025-54364 – knack

Package

Manager: pip
Name: knack
Vulnerable Version: <0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

EPSS: 0.00198 pctl0.42058

Details

Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module ### Withdrawn Advisory This advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack's intended functionality. The maintainer states the following: > These CVEs are invalid. Knack is a CLI framework used by [Azure CLI](https://github.com/Azure/azure-cli). It's a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack. This link is maintained to preserve external references. ### Original Description Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 2 of 2).

Metadata

Created: 2025-08-20T03:30:21Z
Modified: 2025-08-29T20:14:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-xh9h-692f-mmg4/GHSA-xh9h-692f-mmg4.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-xh9h-692f-mmg4
Finding: F211
Auto approve: 1