We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-3263

Regular Expression Denial of Service (ReDoS) in huggingface/transformers



Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Reserved 2025-04-04 | Published 2025-07-07 | Updated 2025-07-07 | Assigner @huntr_ai


MEDIUM: 5.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-1333 Inefficient Regular Expression Complexity

Product status

Any version before 4.51.0
affected

References

huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29

github.com/...ommit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76

cve.org (CVE-2025-3263)

nvd.nist.gov (CVE-2025-3263)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-3263

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.