CVE-2025-3933
BaseFortify
Publication date: 2025-07-11
Last updated on: 2025-08-07
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | transformers | to 4.52.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) issue in the Hugging Face Transformers library, specifically in the DonutProcessor class's token2json() method. It occurs because of a problematic regex pattern `<s_(.*?)>` that can be exploited with crafted input strings to cause excessive CPU usage due to catastrophic backtracking.
How can this vulnerability impact me? :
The vulnerability can lead to service disruption and resource exhaustion by causing excessive CPU consumption. This can affect API services and document processing tasks that use the Donut model, potentially making these services unavailable or degraded.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the Hugging Face Transformers library to version 4.52.1 or later, where the issue in the DonutProcessor class's token2json() method is fixed. Avoid processing untrusted input with affected versions until the upgrade is applied.