GHSA-RQ2Q-4R55-9877

Vulnerability from github – Published: 2026-04-14 23:13 – Updated: 2026-04-14 23:13
VLAI?
Summary
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check
Details

Summary

The RegexMatching check in the giskard-checks package passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations.

giskard-checks is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines.

Affected component

text_matching.py, line 457: re.search(pattern, text)

Remediation

Upgrade to giskard-checks >= 1.0.2b1.

Credit

Giskard-AI thanks @dhabaleshwar for identifying the missing timeout on regex evaluation.

Severity ?
1.0 (Low)
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.1b1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "giskard-checks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2b1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:13:39Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\nThe RegexMatching check in the `giskard-checks` package passes a user-supplied regular expression pattern directly to Python\u0027s re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations. \n\n`giskard-checks` is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines.\n\n## Affected component\n \n`text_matching.py`, line 457: `re.search(pattern, text)`\n \n## Remediation\n \nUpgrade to `giskard-checks` \u003e= 1.0.2b1.\n \n## Credit\n \nGiskard-AI thanks @dhabaleshwar for identifying the missing timeout on regex evaluation.",
  "id": "GHSA-rq2q-4r55-9877",
  "modified": "2026-04-14T23:13:39Z",
  "published": "2026-04-14T23:13:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Giskard-AI/giskard-oss/security/advisories/GHSA-rq2q-4r55-9877"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Giskard-AI/giskard-oss"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.