Skip to main content

Python CVE-2026-40319

LOW
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-04-14 https://github.com/Giskard-AI/giskard-oss GHSA-rq2q-4r55-9877
1.0
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
1.0 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 17, 2026 - 18:22 NVD
1.0 (LOW)
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 15, 2026 - 01:13 vuln.today
Analysis Generated
Apr 14, 2026 - 23:31 vuln.today
CVE Published
Apr 14, 2026 - 23:13 nvd
LOW 1.0

DescriptionGitHub Advisory

Summary

The RegexMatching check in the giskard-checks package passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations.

giskard-checks is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines.

Affected component

text_matching.py, line 457: re.search(pattern, text)

Remediation

Upgrade to giskard-checks >= 1.0.2b1.

Credit

Giskard-AI thanks @dhabaleshwar for identifying the missing timeout on regex evaluation.

AnalysisAI

Denial of service in giskard-checks RegexMatching check via unguarded regex pattern matching allows local attackers with write access to check definitions to trigger catastrophic backtracking in Python's re.search() function, causing process hangs and disrupting CI/CD pipelines or automated test execution.

Technical ContextAI

The giskard-checks library is a Python package for local model testing that includes a RegexMatching check component. The vulnerability resides in text_matching.py at line 457, where user-supplied regex patterns are passed directly to Python's re.search() function without timeout enforcement, complexity validation, or pattern sanitization. Python's re module is susceptible to ReDoS (Regular Expression Denial of Service) attacks via catastrophic backtracking when given pathological patterns combined with certain input strings. The root cause is classified under CWE-1333 (Inefficient Regular Expression Complexity), which encompasses regex engines that lack safeguards against exponential-time matching behavior. Since giskard-checks is a developer-facing testing library executed in local or CI/CD environments, exploitation requires prior write access to configuration or application code defining check parameters.

RemediationAI

Upgrade giskard-checks to version 1.0.2b1 or later by executing pip install --upgrade giskard-checks>=1.0.2b1 in your Python environment. The vendor-released patch introduces timeout and complexity guards on regex evaluation to prevent catastrophic backtracking. If immediate upgrade is not feasible, review and restrict write access to check definition files and configuration sources to limit the attack surface. Additional mitigation involves disabling or removing RegexMatching checks if they are not actively used in your test suite. For detailed information, refer to the GitHub security advisory at https://github.com/Giskard-AI/giskard-oss/security/advisories/GHSA-rq2q-4r55-9877.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-40319 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy