CVE-2025-3933
published 2025-07-11CVE-2025-3933: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor…
PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.43%
34.5th percentile
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huggingface | huggingface_transformers | >= unspecified < 4.52.1 | 4.52.1 |
| huggingface | transformers | < 4.52.1 | 4.52.1 |
| huggingface | transformers | >= 0 < 4.52.1 | 4.52.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Transformers is vulnerable to ReDoS attack through its DonutProcessor class
ghsa·2025-07-11
CVE-2025-3933 [MEDIUM] CWE-1333 Transformers is vulnerable to ReDoS attack through its DonutProcessor class
Transformers is vulnerable to ReDoS attack through its DonutProcessor class
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
OSV
Transformers is vulnerable to ReDoS attack through its DonutProcessor class
osv·2025-07-11
CVE-2025-3933 [MEDIUM] Transformers is vulnerable to ReDoS attack through its DonutProcessor class
Transformers is vulnerable to ReDoS attack through its DonutProcessor class
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
Red Hat
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
vendor_redhat·2025-07-11·CVSS 5.3
CVE-2025-3933 [MEDIUM] CWE-1333 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
A regular expression denial of service flaw has been discovered in the Hugging Face Transformers
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-11
Published