CVE-2024-52524

Advisory

Affected versions of Giskard are vulnerable to Regular Expression Denial of Service (CWE-1333). This vulnerability allows attackers to trigger exponential regex evaluation times by supplying specially crafted text patterns, leading to denial of service through extended processing times or application crashes. The issue resides in the gruber regular expression used in the text perturbation detector's punctuation removal transformation. It is exploitable by submitting text with complex URL patterns that cause catastrophic backtracking.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Release 2.15.5 fixes a [ReDoS vulnerability](https://github.com/Giskard-AI/giskard/security/advisories/GHSA-pjwm-cr36-mwv3) discovered in Giskard text perturbation detector (CVE-2024-52524).

Thanks to kevinbackhouse for disclosing the issue and helping with the resolution.

**Full Changelog**: https://github.com/Giskard-AI/giskard/compare/v2.15.4...v2.15.5

Resources

• https://github.com/Giskard-AI/giskard/commit/48ce81f5c626171767188d6f0669498fb613b4d3
• https://github.com/advisories/GHSA-pjwm-cr36-mwv3
• https://github.com/Giskard-AI/giskard/security/advisories/GHSA-pjwm-cr36-mwv3
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52524