CVE-2025-6638
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-12

Last updated on: 2025-10-21

Assigner: huntr.dev

Description
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-12
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-09-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-6638
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
huggingface transformers 4.52.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Regular Expression Denial of Service (ReDoS) in the Hugging Face Transformers library, specifically in the MarianTokenizer's remove_language_code() method. It occurs due to inefficient regex processing that can be exploited by specially crafted input strings with malformed language code patterns, causing excessive CPU usage and potentially leading to a denial of service.

Impact Analysis

The vulnerability can cause excessive CPU consumption when processing certain crafted inputs, which may lead to a denial of service condition. This means that systems using the affected version of the MarianTokenizer could become unresponsive or slow, impacting availability.

Mitigation Strategies

Upgrade the Hugging Face Transformers library from version 4.52.4 to version 4.53.0 or later, where the vulnerability in the MarianTokenizer's remove_language_code() method has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6638. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart