cbcvebase.
CVE-2025-6921
published 2025-09-23

CVE-2025-6921: The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer…

PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.47%
37.0th percentile
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.

Affected

5 ranges
VendorProductVersion rangeFixed in
huggingfacehuggingface_transformers>= unspecified < 4.53.04.53.0
huggingfacetransformers< 4.53.04.53.0
huggingfacetransformers>= 0 < 4.53.04.53.0
msrccbl2_libtiff_4.4.0-8_on_cbl_mariner_2.0
msrccm1_libtiff_4.5.0-1_on_cbl_mariner_1.0

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat7.5HIGH
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.