216.73.217.172

CVE-2025-2099

· Published 19/05/2025 12:15 · Modified 19/05/2025 13:35

Labels: CVE-2025-2099 2025-05-19CVE-2025-2099CWE-1333[email protected]

Essential information

Published
19/05/2025 12:15
Modified
19/05/2025 13:35
Author
Creator
CVSS
5.3 MEDIUM (v3.0)
CISA KEV
No
CWE
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS metrics

Description

A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
huggingface / transformers cpe:2.3:a:huggingface:transformers:v4.48.3:*:*:*:*:*:*:*

References