CVE-2025-6638
BaseFortify
Publication date: 2025-09-12
Last updated on: 2025-10-21
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | transformers | 4.52.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the Hugging Face Transformers library, specifically in the MarianTokenizer's remove_language_code() method. It occurs due to inefficient regex processing that can be exploited by specially crafted input strings with malformed language code patterns, causing excessive CPU usage and potentially leading to a denial of service.
How can this vulnerability impact me? :
The vulnerability can cause excessive CPU consumption when processing certain crafted inputs, which may lead to a denial of service condition. This means that systems using the affected version of the MarianTokenizer could become unresponsive or slow, impacting availability.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Hugging Face Transformers library from version 4.52.4 to version 4.53.0 or later, where the vulnerability in the MarianTokenizer's remove_language_code() method has been fixed.