CVE-2025-1194: Transformers ReDoS — MEDIUM

Q: Is CVE-2025-1194 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1194, increasing the risk of exploitation.

Q: How to fix CVE-2025-1194?

1. PATCH: Upgrade transformers to ≥4.50.0 (pip install --upgrade transformers). This is the only complete fix. 2. WORKAROUND (if upgrade is blocked): Implement input length caps and character class validation before tokenization; reject inputs exceeding a safe threshold for Japanese text. 3. DETECTION: Monitor inference server CPU utilization for sustained spikes correlated with single requests; alert on requests exceeding 2-3x normal tokenization latency. 4. CONTAINMENT: If running multi-tenant inference, isolate Japanese tokenizer workloads to dedicated workers with CPU throttling (cgroups/ulimit) to prevent cross-tenant DoS. 5. VALIDATION: After patching, confirm version with `pip show transformers | grep Version`.

Q: What systems are affected by CVE-2025-1194?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, NLP processing pipelines, batch inference.

Q: What is the CVSS score for CVE-2025-1194?

CVE-2025-1194 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.39%.

CISO Take

Upgrade HuggingFace Transformers to 4.50.0 immediately if your stack includes any Japanese NLP workloads. The ReDoS in SubWordJapaneseTokenizer can peg CPU to 100% via a single crafted input, taking down inference services or preprocessing pipelines. If you are not running Japanese language models, your exposure is zero — this is a narrow but real availability risk for those who are.

What is the risk?

Actual risk is low-to-moderate despite CVSS 6.5. EPSS of 0.00078 signals no active exploitation. Attack vector is network but requires user interaction — a downstream user or API consumer must submit the malicious payload to a tokenizer-exposed endpoint. Impact is purely availability (DoS), with no data loss or confidentiality breach. Blast radius is limited to organizations running GPT-NeoX-Japanese models. The fix is available and straightforward (pip upgrade), making residual risk low for patched systems.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →
Transformers	pip	< 4.50.0	`4.50.0`
161.8K OpenSSF 6.4 8.3K dependents Pushed 5d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 31% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Upgrade transformers to ≥4.50.0 (pip install --upgrade transformers). This is the only complete fix.
WORKAROUND (if upgrade is blocked): Implement input length caps and character class validation before tokenization; reject inputs exceeding a safe threshold for Japanese text.
DETECTION

Monitor inference server CPU utilization for sustained spikes correlated with single requests; alert on requests exceeding 2-3x normal tokenization latency.
CONTAINMENT

If running multi-tenant inference, isolate Japanese tokenizer workloads to dedicated workers with CPU throttling (cgroups/ulimit) to prevent cross-tenant DoS.
VALIDATION

After patching, confirm version with pip show transformers | grep Version.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation

NIST AI RMF

GOVERN-1.7 - Processes for AI risk and impact tracking MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-1194?

Upgrade HuggingFace Transformers to 4.50.0 immediately if your stack includes any Japanese NLP workloads. The ReDoS in SubWordJapaneseTokenizer can peg CPU to 100% via a single crafted input, taking down inference services or preprocessing pipelines. If you are not running Japanese language models, your exposure is zero — this is a narrow but real availability risk for those who are.

Is CVE-2025-1194 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1194, increasing the risk of exploitation.

How to fix CVE-2025-1194?

1. PATCH: Upgrade transformers to ≥4.50.0 (pip install --upgrade transformers). This is the only complete fix. 2. WORKAROUND (if upgrade is blocked): Implement input length caps and character class validation before tokenization; reject inputs exceeding a safe threshold for Japanese text. 3. DETECTION: Monitor inference server CPU utilization for sustained spikes correlated with single requests; alert on requests exceeding 2-3x normal tokenization latency. 4. CONTAINMENT: If running multi-tenant inference, isolate Japanese tokenizer workloads to dedicated workers with CPU throttling (cgroups/ulimit) to prevent cross-tenant DoS. 5. VALIDATION: After patching, confirm version with `pip show transformers | grep Version`.

What systems are affected by CVE-2025-1194?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, NLP processing pipelines, batch inference.

What is the CVSS score for CVE-2025-1194?

CVE-2025-1194 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesNLP processing pipelinesbatch inference

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 6.1.2, 8.4

NIST AI RMF: GOVERN-1.7, MANAGE-2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

Exploitation Scenario

An adversary targeting a Japanese-language sentiment analysis or document processing SaaS API sends a POST request with a specially crafted string designed to trigger catastrophic backtracking in the SubWordJapaneseTokenizer regex engine. No authentication is required if the endpoint is public-facing. The regex processes the input, enters exponential backtracking, and the worker process consumes 100% CPU for an extended period. In a Kubernetes deployment, liveness probes time out and the pod restarts, creating a cycle exploitable to maintain denial of service with low-rate request flooding. The PoC is public via huntr.com, making this accessible to low-sophistication actors targeting Japanese NLP services.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary CWE-1333 Inefficient Regular Expression Complexity

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

[Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
[System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.