CVE-2024-52524: 
Python vulnerability analysis and mitigation

A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard, an evaluation and testing framework for AI systems, identified as CVE-2024-52524. The vulnerability was found by the GitHub Security Lab team in the Giskard component's text perturbation detector. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could trigger exponential regex evaluation times, potentially leading to denial of service. The vulnerability affects Giskard versions prior to 2.15.5 (GitHub Advisory).

The vulnerability specifically affects Giskard's punctuation removal transformation used in the text perturbation detection. A regex used to detect URLs and links was vulnerable to catastrophic backtracking that could be triggered by specific patterns in the text. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Clear. The weakness is categorized as CWE-1333 (Inefficient Regular Expression Complexity) (NVD).

This vulnerability can cause extended computation times or crashes in Giskard when processing text containing certain patterns, potentially leading to denial of service conditions (GitHub Advisory).

Users should upgrade to Giskard version 2.15.5 or later, which includes a fix for this vulnerability (GitHub Advisory).