CVE-2025-3263

Exploit

EPSS 0.04%
Veröffentlicht 07.07.2025 09:54:59
Zuletzt bearbeitet 07.08.2025 01:03:17
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Huggingface ≫ Transformers Version >= 4.49.0 < 4.51.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	5.3	3.9	1.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76

Patch

https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-3263

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-3263

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-3263

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-3263