cbcvebase.

Huggingface Transformers vulnerabilities

30 known vulnerabilities affecting huggingface/transformers.

Total CVEs
30
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH20MEDIUM7LOW1

Vulnerabilities

Page 2 of 2
CVE-2025-3262P3HIGHCVSS 7.5fixed in 4.51.02025-07-07
CVE-2025-3262 [HIGH] CWE-1333 CVE-2025-3262: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/trans A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized
ghsanvdosv
CVE-2023-7018P3HIGHCVSS 7.8fixed in 4.36.02023-12-20
CVE-2023-7018 [HIGH] CWE-502 CVE-2023-7018: Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36. Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
ghsanvdosv
CVE-2025-1194P4MEDIUMCVSS 6.5fixed in 4.50.02025-04-29
CVE-2025-1194 [MEDIUM] CWE-1333 CVE-2025-1194: A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/trans A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems fr
ghsanvdosv
CVE-2025-6051P4MEDIUMCVSS 5.3v4.52.42025-09-14
CVE-2025-6051 [MEDIUM] CWE-1333 CVE-2025-6051: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Tran A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, wh
ghsanvdosv
CVE-2025-5197P4MEDIUMCVSS 5.3fixed in 4.53.02025-08-06
CVE-2025-5197 [MEDIUM] CWE-1333 CVE-2025-5197: A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive
ghsanvdosv
CVE-2025-3933P4MEDIUMCVSS 5.3fixed in 4.52.12025-07-11
CVE-2025-3933 [MEDIUM] CWE-1333 CVE-2025-3933: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Tran A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `` which can be exploited to cause e
ghsanvdosv
CVE-2025-3263P4MEDIUMCVSS 5.3≥ 4.49.0, < 4.51.02025-07-07
CVE-2025-3263 [MEDIUM] CWE-1333 CVE-2025-3263: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Tran A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regu
ghsanvdosv
CVE-2025-3264P4MEDIUMCVSS 5.3≥ 4.49.0, < 4.51.02025-07-07
CVE-2025-3264 [MEDIUM] CWE-1333 CVE-2025-3264: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Tran A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` use
ghsanvdosv
CVE-2023-2800P4MEDIUMCVSS 4.7fixed in 4.30.02023-05-18
CVE-2023-2800 [MEDIUM] CWE-377 CVE-2023-2800: Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0. Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0.
ghsanvdosv
CVE-2025-3777P4LOWCVSS 3.5fixed in 4.52.12025-07-07
CVE-2025-3777 [LOW] CWE-20 CVE-2025-3777: Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnera Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve
ghsanvdosv
Huggingface Transformers vulnerabilities | cvebase