PyPi: Giskard

CVE-2024-52524

Safety vulnerability ID: 74160

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 14, 2024 Updated at Nov 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

Affected versions of Giskard are vulnerable to Regular Expression Denial of Service (CWE-1333). This vulnerability allows attackers to trigger exponential regex evaluation times by supplying specially crafted text patterns, leading to denial of service through extended processing times or application crashes. The issue resides in the gruber regular expression used in the text perturbation detector's punctuation removal transformation. It is exploitable by submitting text with complex URL patterns that cause catastrophic backtracking.

Affected package

giskard

Latest version: 2.16.0

The testing framework dedicated to ML models, from tabular to LLMs

Affected versions

Fixed versions

Vulnerability changelog

Release 2.15.5 fixes a [ReDoS vulnerability](https://github.com/Giskard-AI/giskard/security/advisories/GHSA-pjwm-cr36-mwv3) discovered in Giskard text perturbation detector (CVE-2024-52524).

Thanks to kevinbackhouse for disclosing the issue and helping with the resolution.

**Full Changelog**: https://github.com/Giskard-AI/giskard/compare/v2.15.4...v2.15.5

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application