ReDoS Vulnerability in Hugging Face Transformers Library
CVE-2025-6051

5.3MEDIUM

Key Information:

Vendor: Huggingface
Status: Huggingface/transformers
Vendor: CVE Published:; 14 September 2025

🔔 Create Huggingface Vulnerability Alert

What is CVE-2025-6051?

A vulnerability has been identified in the Hugging Face Transformers library related to excessive CPU consumption due to improper handling of numeric strings in the 'normalize_numbers()' method of the 'EnglishNormalizer' class. Attackers can exploit this vulnerability by supplying crafted input strings containing long sequences of digits, leading to denial-of-service conditions. This can disrupt critical text-to-speech and number normalization processes, potentially exhausting system resources and compromising API stability. The issue has been resolved in version 4.53.0.

Affected Version(s)

huggingface/transformers < 4.53.0

References

https://huntr.com/bounties/af929523-7b59-418a-bf55-301830...

https://github.com/huggingface/transformers/commit/ba8eab...

CVSS V3.0

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 14, 2025
Vulnerability Reserved
Jun 13, 2025

CVE-2025-6051 Data

JSON