CVE-2025-3264
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-08-07
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | transformers | From 4.49.0 (inc) to 4.51.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the Hugging Face Transformers library, specifically in the get_imports() function within dynamic_module_utils.py. It involves a regular expression pattern used to filter try/except blocks in Python code that can be exploited with crafted input strings to cause excessive CPU consumption due to catastrophic backtracking.
How can this vulnerability impact me? :
The vulnerability can lead to disruption of remote code loading, resource exhaustion in model serving, potential supply chain attack vectors, and disruption of development pipelines.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Hugging Face Transformers library to version 4.51.0 or later, where the issue in the get_imports() function has been fixed.