Regular Expression Denial of Service (ReDoS) in huggingface/transformers
CVE-2025-6051

5.3MEDIUM

Key Information:

Vendor: Huggingface
Status: Huggingface/transformers
Vendor: CVE Published:; 14 September 2025

🔔 Create Huggingface Vulnerability Alert

What is CVE-2025-6051?

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the normalize_numbers() method of the EnglishNormalizer class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.

Affected Version(s)

huggingface/transformers < 4.53.0

References

https://huntr.com/bounties/af929523-7b59-418a-bf55-301830...

https://github.com/huggingface/transformers/commit/ba8eab...

CVSS V3.0

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 14, 2025
Vulnerability Reserved
Jun 13, 2025