cbcvebase.
CVE-2025-1194
published 2025-04-29

CVE-2025-1194: A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file…

PriorityP430medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
0.38%
30.3th percentile
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

Affected

4 ranges
VendorProductVersion rangeFixed in
huggingfacehuggingface_transformers>= unspecified < 4.50.04.50.0
huggingfacetransformers< 4.50.04.50.0
huggingfacetransformers>= 0 < 4.50.04.50.0
msrccbl2_kernel_5.15.143.1-1_on_cbl_mariner_2.0

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.