Executive Summary

This vulnerability is a Regular Expression Denial of Service (ReDoS) issue found in the Hugging Face Transformers library, specifically in the `normalize_numbers()` method of the `EnglishNormalizer` class. It occurs because the method processes numeric strings using regular expressions that can be exploited with specially crafted input containing long sequences of digits. This causes excessive CPU usage, potentially leading to service disruption or resource exhaustion.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can cause excessive CPU consumption when processing crafted numeric input strings, leading to service disruption, resource exhaustion, and potential API vulnerabilities. This can affect applications using the Hugging Face Transformers library for text-to-speech and number normalization tasks, resulting in degraded performance or denial of service.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the `normalize_numbers()` method of the `EnglishNormalizer` class in the Hugging Face Transformers library (versions up to 4.52.4) with crafted input strings containing long sequences of digits to observe excessive CPU consumption or service disruption. There are no specific network detection commands provided. To check the installed version of the transformers library, you can run: `pip show transformers`. To test for the vulnerability, you could write a small Python script that calls `normalize_numbers()` with long numeric strings and monitor CPU usage. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Hugging Face Transformers library to version 4.53.0 or later, where the vulnerability in the `normalize_numbers()` method has been fixed. This update includes improved regex handling that prevents excessive CPU consumption from crafted numeric inputs. [1]

Useful 0 Not Useful 0