{"id":"GHSA-xh9h-692f-mmg4","summary":"Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module","details":"### Withdrawn Advisory\nThis advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack's intended functionality. The maintainer states the following:\n\n\u003e These CVEs are invalid. Knack is a CLI framework used by [Azure CLI](https://github.com/Azure/azure-cli). It's a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.\n\nThis link is maintained to preserve external references.\n\n### Original Description\nMicrosoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 2 of 2).","aliases":["CVE-2025-54364"],"modified":"2026-02-04T02:33:57.194777Z","published":"2025-08-20T03:30:21Z","withdrawn":"2025-08-29T20:14:37Z","related":["CGA-x2rq-3g6w-2p3m"],"database_specific":{"github_reviewed_at":"2025-08-21T15:01:00Z","severity":"LOW","nvd_published_at":"2025-08-20T03:15:35Z","cwe_ids":["CWE-1333"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54364"},{"type":"WEB","url":"https://github.com/microsoft/knack/issues/281"},{"type":"WEB","url":"https://github.com/microsoft/knack/issues/281#issuecomment-3218922941"},{"type":"PACKAGE","url":"https://github.com/microsoft/knack"},{"type":"WEB","url":"https://www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dos"}],"affected":[{"package":{"name":"knack","ecosystem":"PyPI","purl":"pkg:pypi/knack"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.12.0"}]}],"versions":["0.0.1","0.1.0","0.1.1","0.10.0","0.10.1","0.11.0","0.12.0","0.2.0","0.3.0","0.3.1","0.3.2","0.3.3","0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.6.0","0.6.1","0.6.2","0.6.3","0.7.0","0.7.0rc1","0.7.0rc3","0.7.0rc4","0.7.1","0.7.2","0.8.0","0.8.0rc1","0.8.0rc2","0.8.1","0.8.2","0.9.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-xh9h-692f-mmg4/GHSA-xh9h-692f-mmg4.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"}]}