CVE-2024-12391 identifies a Regular Expression Denial of Service (ReDoS) vulnerability in the binary-husky/gpt_academic project, specifically in a function responsible for parsing project source code files where user-provided regular expressions are executed. The vulnerability stems from inefficient regular expression complexity (CWE-1333), where certain crafted regex patterns cause the Python regular expression engine to exhibit exponential time complexity during matching. This leads to excessive CPU consumption and can hang or crash the server, resulting in a denial of service (DoS) condition. The attack scenario requires an adversary to supply both the malicious regular expression and the input string to be matched, which implies some level of privilege (PR:L) but does not require user interaction (UI:N). The vulnerability affects availability (A:H) but does not impact confidentiality or integrity. The CVSS 3.0 score is 6.5, reflecting a medium severity level. No public exploits have been reported yet, but the risk remains significant for environments where untrusted regex input is processed. The lack of patches currently necessitates defensive measures such as input validation, regex complexity limitation, and execution timeouts. This vulnerability is particularly relevant for organizations leveraging binary-husky/gpt_academic for automated code analysis or source code parsing, especially in cloud or multi-tenant environments where attackers might submit crafted inputs. The vulnerability’s exploitation could disrupt services, degrade performance, and impact operational continuity.

For European organizations, the primary impact of CVE-2024-12391 is the potential for denial of service attacks that can disrupt critical development and code analysis workflows. Organizations using binary-husky/gpt_academic in CI/CD pipelines, automated source code analysis, or developer tooling could experience service outages or degraded performance, impacting productivity and potentially delaying software delivery. Public-facing services or multi-tenant environments are particularly at risk, as attackers could exploit the vulnerability remotely to cause server hangs without needing user interaction. While confidentiality and integrity are not directly affected, the availability impact can lead to operational disruptions and increased incident response costs. In sectors with strict uptime requirements, such as finance, healthcare, and critical infrastructure, such disruptions could have cascading effects. Additionally, the inability to process source code efficiently could hinder vulnerability detection and remediation efforts, indirectly increasing security risks. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities once disclosed.

To mitigate CVE-2024-12391, organizations should implement several specific measures beyond generic advice: 1) Restrict the ability to supply arbitrary regular expressions to trusted users only, enforcing strict access controls on interfaces that accept regex input. 2) Sanitize and validate all user-supplied regular expressions to detect and reject patterns known to cause exponential backtracking or excessive complexity. 3) Employ regex execution timeouts or resource limits within the Python environment to prevent long-running regex operations from hanging the server. 4) Monitor CPU and memory usage of processes running regex operations to detect anomalous spikes indicative of ReDoS attempts. 5) Where possible, replace vulnerable regex patterns with safer alternatives or use regex libraries that provide guaranteed linear-time matching. 6) Keep the binary-husky/gpt_academic software up to date and apply patches promptly once available. 7) Consider isolating regex processing in sandboxed environments or separate worker processes to contain potential DoS impacts. 8) Conduct regular security reviews of code that accepts or processes regex input to identify and remediate similar risks proactively.