CVE-2025-2099 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2025-2099 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2099, increasing the risk of exploitation.

Q: How to fix CVE-2025-2099?

1. PATCH: Upgrade immediately — pip install --upgrade 'transformers>=4.50.0'. Verify with: pip show transformers | grep Version. 2. AUDIT: Identify any production service or pipeline importing transformers.testing_utils and prioritize those for emergency patching. 3. WORKAROUND (if patching is blocked): Enforce input length limits upstream — reject or truncate inputs exceeding 1,000 characters before they reach preprocess_string(). 4. DETECT: Alert on Python worker processes sustaining >80% CPU for >30 seconds on ML infrastructure. 5. DEPENDENCY SCAN: Run pip-audit or safety check against your transformers dependency tree across all environments (dev, staging, prod, CI).

CISO Take

HuggingFace Transformers < 4.50.0 contains a ReDoS flaw in its testing utility module that can pin a Python worker at 100% CPU via a crafted newline payload—no authentication required. While the vulnerable function lives in testing infrastructure, any pipeline or service passing untrusted input through preprocess_string() is exposed. Patch to transformers 4.50.0 immediately; no effective workaround exists for the root cause.

Risk Assessment

CVSS 7.5 High with a network-accessible, zero-auth attack vector, but practical risk is moderated by deployment context: the vulnerable function resides in transformers.testing_utils, limiting direct production exposure. EPSS of 0.00092 reflects very low active exploitation probability today. Risk elevates significantly in shared ML platforms, cloud notebook environments, CI/CD pipelines that process external code contributions, or any service that imports testing_utils outside a test harness. Cost-per-compute environments face both availability and financial impact from sustained CPU exhaustion.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
transformers	pip	—	No patch
160.4K OpenSSF 4.9 7.9K dependents Pushed yesterday 39% patched ~101d to patch Full package profile →
transformers	pip	< 4.50.0	`4.50.0`
160.4K OpenSSF 4.9 7.9K dependents Pushed yesterday 39% patched ~101d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 26% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade immediately — pip install --upgrade 'transformers>=4.50.0'. Verify with: pip show transformers | grep Version.
AUDIT

Identify any production service or pipeline importing transformers.testing_utils and prioritize those for emergency patching.
WORKAROUND (if patching is blocked): Enforce input length limits upstream — reject or truncate inputs exceeding 1,000 characters before they reach preprocess_string().
DETECT

Alert on Python worker processes sustaining >80% CPU for >30 seconds on ML infrastructure.
DEPENDENCY SCAN

Run pip-audit or safety check against your transformers dependency tree across all environments (dev, staging, prod, CI).

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.5 - AI system availability and resilience

NIST AI RMF

MANAGE 2.4 - Residual risks to AI system trustworthiness are managed

OWASP LLM Top 10

LLM10 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-2099?

HuggingFace Transformers < 4.50.0 contains a ReDoS flaw in its testing utility module that can pin a Python worker at 100% CPU via a crafted newline payload—no authentication required. While the vulnerable function lives in testing infrastructure, any pipeline or service passing untrusted input through preprocess_string() is exposed. Patch to transformers 4.50.0 immediately; no effective workaround exists for the root cause.

Is CVE-2025-2099 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2099, increasing the risk of exploitation.

How to fix CVE-2025-2099?

1. PATCH: Upgrade immediately — pip install --upgrade 'transformers>=4.50.0'. Verify with: pip show transformers | grep Version. 2. AUDIT: Identify any production service or pipeline importing transformers.testing_utils and prioritize those for emergency patching. 3. WORKAROUND (if patching is blocked): Enforce input length limits upstream — reject or truncate inputs exceeding 1,000 characters before they reach preprocess_string(). 4. DETECT: Alert on Python worker processes sustaining >80% CPU for >30 seconds on ML infrastructure. 5. DEPENDENCY SCAN: Run pip-audit or safety check against your transformers dependency tree across all environments (dev, staging, prod, CI).

What systems are affected by CVE-2025-2099?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, CI/CD ML pipelines, shared ML platforms, model development environments.

What is the CVSS score for CVE-2025-2099?

CVE-2025-2099 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

Exploitation Scenario

An attacker identifies a CI/CD pipeline or code documentation service that runs transformers test utilities against submitted code. They craft a pull request or API submission containing a docstring with a code block followed by 5,000+ consecutive newline characters. When preprocess_string() evaluates this input, the nested quantifiers in the internal regex trigger catastrophic backtracking—the process stalls at 100% CPU for minutes per request. By flooding the endpoint with concurrent malicious payloads, the attacker exhausts all available worker threads, taking the CI pipeline or ML service offline. No credentials, no prior access, no ML expertise required.