CVE-2025-6051

Exploit

EPSS 0.03%
Veröffentlicht 14.09.2025 17:03:02
Zuletzt bearbeitet 21.10.2025 14:16:24
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Huggingface ≫ Transformers Version4.52.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.099

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	5.3	3.9	1.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d

Patch

Third Party Advisory

Exploit

Issue Tracking

https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-6051

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-6051

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-6051

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-6051