CVE-2025-6921
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-10-10

Assigner: huntr.dev

Description
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-10-10
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-6921
EUVD
EUVD-2025-30889
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
huggingface transformers to 4.53.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Regular Expression Denial of Service (ReDoS) in the huggingface/transformers library versions prior to 4.53.0. It occurs in the AdamWeightDecay optimizer's _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Maliciously crafted regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU usage and causing the system to hang or become unresponsive.

Impact Analysis

An attacker who can control the regular expression patterns in the include_in_weight_decay and exclude_from_weight_decay lists can exploit this vulnerability to cause the machine learning task to hang by consuming all CPU resources. This results in a denial of service, making the affected services unresponsive and potentially disrupting operations that rely on the huggingface/transformers library.

Mitigation Strategies

To mitigate this vulnerability, upgrade the huggingface/transformers library to version 4.53.0 or later, where the issue has been fixed. Avoid using untrusted or user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists of the AdamWeightDecay optimizer to prevent potential ReDoS attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6921. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart