Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Giskard's Pattern Matching Can Be Tricked to Hang Indefinitely
GHSA-rq2q-4r55-9877
CVE-2026-40319
GHSA-rq2q-4r55-9877
Summary
Using Giskard's pattern matching feature, an attacker with access to a check definition can cause a denial of service by crafting a malicious pattern that makes the system take a long time to respond. This can happen in automated testing environments like CI/CD pipelines. To fix this, update to Giskard version 1.0.2b1 or later.
What to do
- Update giskard-checks to version 1.0.2b1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | giskard-checks |
<= 1.0.1b1 Fix: upgrade to 1.0.2b1
|
| PyPI | – | giskard-checks |
< 1.0.2b1 Fix: upgrade to 1.0.2b1
|
Original title
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check
Original description
## Summary
The RegexMatching check in the `giskard-checks` package passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations.
`giskard-checks` is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines.
## Affected component
`text_matching.py`, line 457: `re.search(pattern, text)`
## Remediation
Upgrade to `giskard-checks` >= 1.0.2b1.
## Credit
Giskard-AI thanks @dhabaleshwar for identifying the missing timeout on regex evaluation.
The RegexMatching check in the `giskard-checks` package passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations.
`giskard-checks` is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines.
## Affected component
`text_matching.py`, line 457: `re.search(pattern, text)`
## Remediation
Upgrade to `giskard-checks` >= 1.0.2b1.
## Credit
Giskard-AI thanks @dhabaleshwar for identifying the missing timeout on regex evaluation.
ghsa CVSS4.0
1.0
Vulnerability type
CWE-1333
Inefficient Regular Expression Complexity (ReDoS)
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 15 Apr 2026