Denial of Service Vulnerability in Hugging Face Transformers Module
CVE-2025-2099

7.5HIGH

Key Information:

Vendor

Huggingface

Status
Huggingface/transformers
Vendor
CVE Published:
19 May 2025

What is CVE-2025-2099?

A vulnerability exists in the preprocess_string() function of the transformers.testing_utils module in Hugging Face's Transformers library, specifically in version v4.48.3. This issue arises from a poorly constructed regular expression used to handle code blocks in docstrings, which employs nested quantifiers. As a result, the handling of input with numerous newline characters can trigger significant CPU load due to exponential backtracking, allowing an attacker to execute a Regular Expression Denial of Service (ReDoS) attack. By crafting a specific input payload, attackers may cause application downtime, leading to a potential DoS situation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

huggingface/transformers < 4.50.0

References

https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57...
https://github.com/huggingface/transformers/commit/8cb522...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.