CVE-2025-2099
published 2025-05-19CVE-2025-2099: A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.51%
39.4th percentile
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huggingface | huggingface_transformers | >= unspecified < 4.50.0 | 4.50.0 |
| huggingface | transformers | <= 4.48.3 | — |
| huggingface | transformers | >= 0 < 8cb522b4190bd556ce51be04942720650b1a3e57 | 8cb522b4190bd556ce51be04942720650b1a3e57 |
| huggingface | transformers | >= 0 < 4.49.0 | 4.49.0 |
| huggingface | transformers | >= 0 < 4.50.0 | 4.50.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-2099: A vulnerability in the `preprocess_string()` function of the `transformers
osv·2025-05-19
CVE-2025-2099 CVE-2025-2099: A vulnerability in the `preprocess_string()` function of the `transformers
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.
GHSA
Hugging Face Transformers Regular Expression Denial of Service
ghsa·2025-05-19
CVE-2025-2099 [MEDIUM] CWE-1333 Hugging Face Transformers Regular Expression Denial of Service
Hugging Face Transformers Regular Expression Denial of Service
A Regular Expression Denial of Service (ReDoS) exists in the `preprocess_string()` function of the `transformers.testing_utils` module. In versions **before 4.50.0**, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to `preprocess_string()` (or code paths that call it) can force excessive CPU usage and degrade availability.
**Fix:** released in **4.50.0**, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1])
* **Affected:** `< 4.50.0`
* **Patched:** `4.50.0`
OSV
Hugging Face Transformers Regular Expression Denial of Service
osv·2025-05-19
CVE-2025-2099 [MEDIUM] Hugging Face Transformers Regular Expression Denial of Service
Hugging Face Transformers Regular Expression Denial of Service
A Regular Expression Denial of Service (ReDoS) exists in the `preprocess_string()` function of the `transformers.testing_utils` module. In versions **before 4.50.0**, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to `preprocess_string()` (or code paths that call it) can force excessive CPU usage and degrade availability.
**Fix:** released in **4.50.0**, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1])
* **Affected:** `< 4.50.0`
* **Patched:** `4.50.0`
Red Hat
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
vendor_redhat·2025-05-19·CVSS 7.5
CVE-2025-2099 [HIGH] CWE-1333 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.
A flaw was found in the preprocess_string() function of the transformers.testing_utils module in HuggingFace Transform
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-19
Published