CVE-2025-54364: Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module

August 20, 2025 (updated August 29, 2025)

Withdrawn Advisory

This advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack’s intended functionality. The maintainer states the following:

These CVEs are invalid. Knack is a CLI framework used by Azure CLI. It’s a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.

This link is maintained to preserve external references.

Original Description

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 2 of 2).

References

Code Behaviors & Features

Detect and mitigate CVE-2025-54364 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →