CVE-2025-5197
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-10-21
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | transformers | to 4.53.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the Hugging Face Transformers library. It occurs in the function convert_tf_weight_name_to_pt_weight_name(), which converts TensorFlow weight names to PyTorch format. The function uses a regex pattern that can be exploited with crafted input strings to cause excessive CPU usage due to catastrophic backtracking, leading to potential service disruption.
How can this vulnerability impact me? :
The vulnerability can cause excessive CPU consumption, leading to resource exhaustion and service disruption. It may affect API services involved in model conversion between TensorFlow and PyTorch formats, potentially making these services unavailable or degraded.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Hugging Face Transformers library to version 4.53.0 or later, where the issue is fixed. Avoid processing untrusted or crafted input strings that could trigger the ReDoS vulnerability until the upgrade is applied.