CVE-2024-52524: Giskard ReDoS — MEDIUM

Q: Is CVE-2024-52524 actively exploited?

No confirmed active exploitation of CVE-2024-52524 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-52524?

1. Upgrade Giskard to version 2.15.5 or later — only complete fix. 2. If immediate patching is blocked, sanitize input datasets to strip complex nested URL-like strings before Giskard ingestion. 3. Implement hard timeouts on Giskard evaluation jobs and treat timeouts as failures, not bypasses. 4. Restrict who can submit datasets to Giskard instances, especially in shared or CI/CD-integrated deployments. 5. Audit pipeline configurations to ensure a crashed Giskard job cannot silently pass a model to production.

Q: What systems are affected by CVE-2024-52524?

This vulnerability affects the following AI/ML architecture patterns: ML testing pipelines, model evaluation pipelines, AI model validation systems, ML CI/CD pipelines.

Q: What is the CVSS score for CVE-2024-52524?

No CVSS score has been assigned yet.

CISO Take

Teams using Giskard for AI model evaluation must upgrade to 2.15.5 immediately. An attacker who can influence datasets processed by Giskard can halt evaluation pipelines, potentially allowing unvalidated models to bypass security gates. No effective workaround exists short of patching.

What is the risk?

Medium practical risk. EPSS of 1.47% and absence from CISA KEV indicate no active exploitation. Blast radius is limited to AI testing and validation workflows, not production models directly. However, organizations with externally influenced data pipelines feeding Giskard evaluations, or shared multi-tenant Giskard instances, face elevated exposure. The real danger is indirect: a crashed evaluation job could be bypassed or timed-out, allowing an unsafe model to pass a CI/CD gate unchecked.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Giskard	pip	<= 2.15.4	`2.15.5`
5.4K Pushed 3d ago 100% patched ~0d to patch Full package profile →

Do you use Giskard? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.8%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade Giskard to version 2.15.5 or later — only complete fix.
If immediate patching is blocked, sanitize input datasets to strip complex nested URL-like strings before Giskard ingestion.
Implement hard timeouts on Giskard evaluation jobs and treat timeouts as failures, not bypasses.
Restrict who can submit datasets to Giskard instances, especially in shared or CI/CD-integrated deployments.
Audit pipeline configurations to ensure a crashed Giskard job cannot silently pass a model to production.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Supply Chain Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043.003 - Manual Modification

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI risk treatment

NIST AI RMF

MANAGE 2.2 - AI Risk Response

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-52524?

Teams using Giskard for AI model evaluation must upgrade to 2.15.5 immediately. An attacker who can influence datasets processed by Giskard can halt evaluation pipelines, potentially allowing unvalidated models to bypass security gates. No effective workaround exists short of patching.

Is CVE-2024-52524 actively exploited?

No confirmed active exploitation of CVE-2024-52524 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-52524?

1. Upgrade Giskard to version 2.15.5 or later — only complete fix. 2. If immediate patching is blocked, sanitize input datasets to strip complex nested URL-like strings before Giskard ingestion. 3. Implement hard timeouts on Giskard evaluation jobs and treat timeouts as failures, not bypasses. 4. Restrict who can submit datasets to Giskard instances, especially in shared or CI/CD-integrated deployments. 5. Audit pipeline configurations to ensure a crashed Giskard job cannot silently pass a model to production.

What systems are affected by CVE-2024-52524?

This vulnerability affects the following AI/ML architecture patterns: ML testing pipelines, model evaluation pipelines, AI model validation systems, ML CI/CD pipelines.

What is the CVSS score for CVE-2024-52524?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

ML testing pipelinesmodel evaluation pipelinesAI model validation systemsML CI/CD pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0043.003 Manual Modification

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

# ReDoS in Giskard text perturbation detector A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the [GitHub Security Lab](https://securitylab.github.com) team. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could trigger exponential regex evaluation times, potentially leading to denial of service. ## Details The vulnerability affects Giskard's punctuation removal transformation used in the text perturbation detection. A regex used to detect URLs and links was vulnerable to catastrophic backtracking that could be triggered by specific patterns in the text. ## Affected version Giskard versions prior to 2.15.5 are affected. Users should upgrade to version 2.15.5 or later, which includes a fix for this vulnerability. ## Impact This vulnerability can cause extended computation times or crashes in Giskard when processing text containing certain patterns. ## Credit This issue was discovered and reported by GHSL team member [@kevinbackhouse (Kevin Backhouse)](https://github.com/kevinbackhouse).

Exploitation Scenario

An adversary with write access to a dataset ingested by Giskard — via poisoned training data, a compromised data lake, or a malicious CI/CD artifact — injects text strings with pathological URL-like patterns designed to trigger catastrophic backtracking in the regex engine. When Giskard runs its text perturbation detector, the evaluation job enters a near-infinite CPU loop. In a CI/CD pipeline, this either crashes the validation stage or triggers a timeout. If the pipeline treats timeouts as non-blocking, the model proceeds to production without completing its safety evaluation — achieving model deployment bypass as a secondary impact beyond simple DoS.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

[Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
[System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.