CVE-2025-3264
published 2025-07-07CVE-2025-3264: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()`…
PriorityP426medium5.3CVSS 3.0
AVNACLPRNUINSUCNINAL
EPSS
0.43%
34.5th percentile
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huggingface | huggingface_transformers | >= unspecified < 4.51.0 | 4.51.0 |
| huggingface | transformers | >= 0 < 4.51.0 | 4.51.0 |
| huggingface | transformers | >= 4.49.0 < 4.51.0 | 4.51.0 |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Transformers vulnerable to ReDoS attack through its get_imports() function
osv·2025-07-07
CVE-2025-3264 [MEDIUM] Transformers vulnerable to ReDoS attack through its get_imports() function
Transformers vulnerable to ReDoS attack through its get_imports() function
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.
GHSA
Transformers vulnerable to ReDoS attack through its get_imports() function
ghsa·2025-07-07
CVE-2025-3264 [MEDIUM] CWE-1333 Transformers vulnerable to ReDoS attack through its get_imports() function
Transformers vulnerable to ReDoS attack through its get_imports() function
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.
Red Hat
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
vendor_redhat·2025-07-07·CVSS 5.3
CVE-2025-3264 [MEDIUM] CWE-1333 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.
A Regular Expressi
Red Hat
kernel: Linux kernel: Data race in virtio_ring can lead to denial of service
vendor_redhat·2025-06-18·CVSS 4.7
CVE-2025-38048 [MEDIUM] CWE-366 kernel: Linux kernel: Data race in virtio_ring can lead to denial of service
kernel: Linux kernel: Data race in virtio_ring can lead to denial of service
In the Linux kernel, the following vulnerability has been resolved:
virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN
syzbot reports a data-race when accessing the event_triggered, here is the
simplified stack when the issue occurred:
BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed
write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:
virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653
start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264
__netdev_start_xmit include/linux/netdevice.h:5151 [inline]
netdev_start_xmit include/linux/netdevice.h:5160 [inline]
xmit_one net/core/dev.c:3800 [inline]
read to 0xffff8881025bc452 of 1 bytes by int
No detection rules found.
No public exploits indexed.
2025-07-07
Published