-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| knack | pip | <= 0.12.0 |
Miggo AIRoot Cause AnalysisThe vulnerability, identified as CVE-2025-54364, is a Regular Expression Denial of Service (ReDoS) within the knack Python library, specifically in the introspection module. The GitHub issue #281 provides a detailed explanation of the vulnerability, pointing to an inefficient regular expression introduced in commit 430c39e657d8a424ef9b631782fe0e62a6bed203.
My analysis of the introducing commit confirms that the file clicore/introspection.py (which corresponds to the knack.introspection module) was added. Within this file, two functions, extract_full_summary_from_signature and option_descriptions, were implemented using the vulnerable regex pattern: r'\s*(:param)\s+(.+?)\s*:(.*)'.
The root cause of the ReDoS vulnerability is the combination of \s+, .+?, and \s* in the regex. All three can match whitespace characters, and .+? can match what \s+ and \s* match. This ambiguity forces the regex engine to explore an exponentially large number of possibilities when it encounters a string with many spaces after :param, a condition described as catastrophic backtracking.
Any application utilizing knack to define and manage CLI commands would be vulnerable. If a command's docstring is sourced from a user-controllable location, an attacker could inject a crafted string. When knack's introspection mechanism parses this docstring using either of the identified vulnerable functions, the regex engine would hang, consuming 100% CPU and rendering the application unresponsive. Therefore, these two functions are the direct runtime indicators of this vulnerability being triggered.
PythonPythonOngoing coverage of React2Shell