CVE-2026-40319: Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check

The RegexMatching check in the giskard-checks package passes a user-supplied regular expression pattern directly to Python’s re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations.

giskard-checks is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines.