CVE-2026-40319

描述

## Summary The RegexMatching check in the `giskard-checks` package passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations. `giskard-checks` is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines. ## Affected component `text_matching.py`, line 457: `re.search(pattern, text)` ## Remediation Upgrade to `giskard-checks` >= 1.0.2b1. ## Credit Giskard-AI thanks @dhabaleshwar for identifying the missing timeout on regex evaluation.

如何修補 CVE-2026-40319

要修補 CVE-2026-40319,請將受影響套件升級到下列已修補版本。

—升級至 1.0.2b1 或更新版本

CVE-2026-40319 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 1.0.2b1

CVSS 分數

來源	版本	嚴重程度	向量

osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

描述

如何修補 CVE-2026-40319

CVE-2026-40319 正在被利用嗎?

受影響套件(1)

CVSS 分數

參考連結(4)