Denial of Service Vulnerability in Hugging Face Transformers Library
CVE-2025-3262

7.5HIGH

Key Information:

Vendor: Huggingface
Status: Huggingface/transformers
Vendor: CVE Published:; 7 July 2025

🔔 Create Huggingface Vulnerability Alert

What is CVE-2025-3262?

A Denial of Service vulnerability has been identified in the Hugging Face Transformers library, specifically in version 4.49.0. The root cause lies in the inefficient regular expression patterns defined in the SETTING_RE variable located in the transformers/commands/chat.py file. This issue arises due to the presence of repetition groups and poorly optimized quantifiers, which can lead to severe performance degradation through exponential backtracking when processing 'almost matching' payloads. Maliciously crafted input strings can exploit this vulnerability, resulting in a Denial-of-Service condition. This issue has been addressed in version 4.51.0.

Affected Version(s)

huggingface/transformers < 4.51.0

References

https://huntr.com/bounties/ecf5ccc4-39e7-4fb3-b547-14a41d...

https://github.com/huggingface/transformers/commit/0720e2...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Apr 4, 2025

CVE-2025-3262 Data

JSON