CVE-2024-12720

High CVSS: 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3 (latest).

Vendor

Huggingface

Product

Transformers

CWE

CWE-1333

Yayın Tarihi

2025-03-20 10:15:29

Güncelleme

2025-08-01 21:11:26

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-1333 Transformers HIGH Huggingface 2025

Referanslar

https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98 https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98

Benzer Kayıtlar

Medium

CVE-2026-2654

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of…

High

CVE-2025-14928

Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability a…

High

CVE-2025-14929

Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerabi…

High

CVE-2025-14930

Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability…

High

CVE-2025-14920

Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vu…

High

CVE-2025-14921

Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. Th…