CVE-2025-3262
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-08-02
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | transformers | to 4.51.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) found in the huggingface/transformers repository version 4.49.0. It occurs because the regular expression in the SETTING_RE variable within the transformers/commands/chat.py file is inefficiently constructed with repetition groups and non-optimized quantifiers. This causes exponential backtracking when processing inputs that almost match the pattern, leading to degraded performance and potential denial-of-service when handling specially crafted input strings.
How can this vulnerability impact me? :
The vulnerability can degrade the performance of the application using the affected version of huggingface/transformers by causing excessive processing time on certain inputs. This can lead to a denial-of-service (DoS) condition, where the application becomes unresponsive or unavailable due to resource exhaustion triggered by specially crafted input strings.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the huggingface/transformers package to version 4.51.0 or later, where the vulnerability has been fixed.