CVE-2025-3263
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-08-07
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | transformers | From 4.49.0 (inc) to 4.51.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) issue in the Hugging Face Transformers library, specifically in the get_configuration_file() function. It occurs because of a regular expression pattern that can be exploited with crafted input strings to cause excessive CPU usage due to catastrophic backtracking, leading to service disruption and resource exhaustion.
How can this vulnerability impact me? :
The vulnerability can cause model serving disruption, resource exhaustion, and increased latency in applications using the affected library version, potentially degrading performance or causing denial of service.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Hugging Face Transformers library to version 4.51.0 or later, where the vulnerability in the get_configuration_file() function has been fixed. Avoid using the affected version 4.49.0 to prevent exploitation of the Regular Expression Denial of Service (ReDoS) vulnerability.