5.3
CVE-2025-3933
- EPSS 0.43%
- Veröffentlicht 11.07.2025 09:22:27
- Zuletzt bearbeitet 07.08.2025 01:01:46
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
Regular Expression Denial of Service (ReDoS) in huggingface/transformers
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Huggingface ≫ Transformers Version < 4.52.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.43% | 0.345 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
| security@huntr.dev | 5.3 | 3.9 | 1.4 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-1333 Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93