CVE-2025-3264

Medium CVSS: 5.3

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

Vendor

Huggingface

Product

Transformers

CWE

CWE-1333

Yayın Tarihi

2025-07-07 10:15:27

Güncelleme

2025-08-07 01:02:30

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-1333 Transformers MEDIUM Huggingface 2025

Referanslar

https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76 https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df

Benzer Kayıtlar

Medium

CVE-2026-2654

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of…

High

CVE-2025-14928

Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability a…

High

CVE-2025-14929

Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerabi…

High

CVE-2025-14930

Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability…

High

CVE-2025-14920

Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vu…

High

CVE-2025-14921

Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. Th…