CVE-2025-3263

Medium CVSS: 5.3

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Vendor

Huggingface

Product

Transformers

CWE

CWE-1333

Yayın Tarihi

2025-07-07 10:15:27

Güncelleme

2025-08-07 01:03:17

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-1333 Transformers MEDIUM Huggingface 2025

Referanslar

https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76 https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29

Benzer Kayıtlar

Medium

CVE-2026-2654

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of…

High

CVE-2025-14928

Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability a…

High

CVE-2025-14929

Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerabi…

High

CVE-2025-14930

Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability…

High

CVE-2025-14920

Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vu…

High

CVE-2025-14921

Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. Th…