MEDIUM 5.3 PyPI
Hugging Face Transformers Regular Expression Denial of Service
GHSA-qq3j-4f4f-9583 · CVE-2025-2099 · PYSEC-2025-40
Published · Modified
Description
A Regular Expression Denial of Service (ReDoS) exists in the preprocess_string() function of the transformers.testing_utils module. In versions before 4.50.0, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to preprocess_string() (or code paths that call it) can force excessive CPU usage and degrade availability.
Fix: released in 4.50.0, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1])
- Affected:
< 4.50.0 - Patched:
4.50.0
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-2099
- WEB https://github.com/huggingface/transformers/pull/36648
- WEB https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
- PACKAGE https://github.com/huggingface/transformers
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml
- WEB https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4
Ready to move
Start Securing
Free, no credit card | First findings in minutes