Regular Expression Denial of Service in Hugging Face Transformers Library
CVE-2025-6921

5.3MEDIUM

Key Information:

Vendor: Huggingface
Status: Huggingface/transformers
Vendor: CVE Published:; 23 September 2025

🔔 Create Huggingface Vulnerability Alert

What is CVE-2025-6921?

The Hugging Face Transformers library prior to version 4.53.0 is susceptible to a Regular Expression Denial of Service (ReDoS) vulnerability within its AdamWeightDecay optimizer. This issue is triggered by the _do_use_weight_decay method, which improperly processes user-controlled regular expressions in specified lists. Attackers can exploit this vulnerability by inserting malicious regular expressions, resulting in catastrophic backtracking during the re.search operation. The exploitation can lead to excessive CPU utilization, causing system hangs and unresponsiveness during machine learning tasks, ultimately affecting service availability.

Affected Version(s)

huggingface/transformers < 4.53.0

References

https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305...

https://github.com/huggingface/transformers/commit/47c34f...

CVSS V3.0

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Jun 30, 2025

JSON