CVE-2025-6921
BaseFortify
Publication date: 2025-09-23
Last updated on: 2025-10-10
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huggingface | transformers | to 4.53.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the huggingface/transformers library versions prior to 4.53.0. It occurs in the AdamWeightDecay optimizer's _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Maliciously crafted regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU usage and causing the system to hang or become unresponsive.
How can this vulnerability impact me? :
An attacker who can control the regular expression patterns in the include_in_weight_decay and exclude_from_weight_decay lists can exploit this vulnerability to cause the machine learning task to hang by consuming all CPU resources. This results in a denial of service, making the affected services unresponsive and potentially disrupting operations that rely on the huggingface/transformers library.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the huggingface/transformers library to version 4.53.0 or later, where the issue has been fixed. Avoid using untrusted or user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists of the AdamWeightDecay optimizer to prevent potential ReDoS attacks.