GHSA-xh9h-692f-mmg4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xh9h-692f-mmg4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-xh9h-692f-mmg4/GHSA-xh9h-692f-mmg4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xh9h-692f-mmg4
- Aliases
- Related
- Withdrawn
- 2025-08-29T20:14:37Z
- Published
- 2025-08-20T03:30:21Z
- Modified
- 2026-02-04T02:33:57.194777Z
- Severity
-
- 1.2 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module
- Details
-
Withdrawn Advisory
This advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack's intended functionality. The maintainer states the following:
These CVEs are invalid. Knack is a CLI framework used by Azure CLI. It's a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.
This link is maintained to preserve external references.
Original Description
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 2 of 2).
- Database specific
{ "cwe_ids": [ "CWE-1333" ], "severity": "LOW", "github_reviewed": true, "nvd_published_at": "2025-08-20T03:15:35Z", "github_reviewed_at": "2025-08-21T15:01:00Z" }- References
Affected packages
PyPI / knack
Package
- Name
- knack
- View open source insights on deps.dev
- Purl
- pkg:pypi/knack
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected0.12.0