CVE-2025-6638
published 2025-09-12CVE-2025-6638: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.48%
38.0th percentile
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| huggingface | huggingface_transformers | >= unspecified < 4.53.0 | 4.53.0 |
| huggingface | transformers | — | — |
| huggingface | transformers | >= 0 < 4.53.0 | 4.53.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
vendor_redhat·2025-09-12·CVSS 7.5
CVE-2025-6638 [HIGH] CWE-1333 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library. he issue arises from inefficient regex processing, which can be exploited by crafted input strin
OSV
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
osv·2025-09-12
CVE-2025-6638 [MEDIUM] Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
GHSA
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
ghsa·2025-09-12
CVE-2025-6638 [MEDIUM] CWE-1333 Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
No detection rules found.
No public exploits indexed.
2025-09-12
Published