Regular Expression Denial of Service Vulnerability in Hugging Face Transformers Library
CVE-2025-1194

6.5MEDIUM

Key Information:

Vendor

Huggingface

Status
Huggingface/transformers
Vendor
CVE Published:
29 April 2025

What is CVE-2025-1194?

A vulnerability has been identified in the Hugging Face Transformers library, particularly within the tokenization mechanism of the GPT-NeoX-Japanese model. The SubWordJapaneseTokenizer class processes user inputs using regular expressions that exhibit exponential complexity. When fed specifically crafted inputs, the regex can lead to significant backtracking, resulting in heightened CPU usage and potential application unavailability. This scenario culminates in a Denial of Service (DoS), compromising the functionality and reliability of applications utilizing this library. The impacted version is v4.48.1.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

huggingface/transformers < 4.50.0

References

https://huntr.com/bounties/86f58dcd-683f-4adc-a735-849f51...
https://github.com/huggingface/transformers/commit/92c5ca...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.