CVE-2025-6051
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-14

Last updated on: 2025-10-21

Assigner: huntr.dev

Description
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-14
Last Modified
2025-10-21
Generated
2026-05-07
AI Q&A
2025-09-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6051
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
huggingface transformers 4.52.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Regular Expression Denial of Service (ReDoS) issue found in the Hugging Face Transformers library, specifically in the `normalize_numbers()` method of the `EnglishNormalizer` class. It occurs because the method processes numeric strings using regular expressions that can be exploited with specially crafted input containing long sequences of digits. This causes excessive CPU usage, potentially leading to service disruption or resource exhaustion.


How can this vulnerability impact me? :

The vulnerability can cause excessive CPU consumption when processing crafted numeric input strings, leading to service disruption, resource exhaustion, and potential API vulnerabilities. This can affect applications using the Hugging Face Transformers library for text-to-speech and number normalization tasks, resulting in degraded performance or denial of service.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the `normalize_numbers()` method of the `EnglishNormalizer` class in the Hugging Face Transformers library (versions up to 4.52.4) with crafted input strings containing long sequences of digits to observe excessive CPU consumption or service disruption. There are no specific network detection commands provided. To check the installed version of the transformers library, you can run: `pip show transformers`. To test for the vulnerability, you could write a small Python script that calls `normalize_numbers()` with long numeric strings and monitor CPU usage. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the Hugging Face Transformers library to version 4.53.0 or later, where the vulnerability in the `normalize_numbers()` method has been fixed. This update includes improved regex handling that prevents excessive CPU consumption from crafted numeric inputs. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart