CVE-2025-2099: Transformers ReDoS — HIGH

Q: Is CVE-2025-2099 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2099, increasing the risk of exploitation.

Q: How to fix CVE-2025-2099?

1. PATCH: Upgrade immediately — pip install --upgrade 'transformers>=4.50.0'. Verify with: pip show transformers | grep Version. 2. AUDIT: Identify any production service or pipeline importing transformers.testing_utils and prioritize those for emergency patching. 3. WORKAROUND (if patching is blocked): Enforce input length limits upstream — reject or truncate inputs exceeding 1,000 characters before they reach preprocess_string(). 4. DETECT: Alert on Python worker processes sustaining >80% CPU for >30 seconds on ML infrastructure. 5. DEPENDENCY SCAN: Run pip-audit or safety check against your transformers dependency tree across all environments (dev, staging, prod, CI).

CISO Take

HuggingFace Transformers < 4.50.0 contains a ReDoS flaw in its testing utility module that can pin a Python worker at 100% CPU via a crafted newline payload—no authentication required. While the vulnerable function lives in testing infrastructure, any pipeline or service passing untrusted input through preprocess_string() is exposed. Patch to transformers 4.50.0 immediately; no effective workaround exists for the root cause.

What is the risk?

CVSS 7.5 High with a network-accessible, zero-auth attack vector, but practical risk is moderated by deployment context: the vulnerable function resides in transformers.testing_utils, limiting direct production exposure. EPSS of 0.00092 reflects very low active exploitation probability today. Risk elevates significantly in shared ML platforms, cloud notebook environments, CI/CD pipelines that process external code contributions, or any service that imports testing_utils outside a test harness. Cost-per-compute environments face both availability and financial impact from sustained CPU exhaustion.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →
Transformers	pip	< 4.50.0	`4.50.0`
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 39% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Upgrade immediately — pip install --upgrade 'transformers>=4.50.0'. Verify with: pip show transformers | grep Version.
AUDIT

Identify any production service or pipeline importing transformers.testing_utils and prioritize those for emergency patching.
WORKAROUND (if patching is blocked): Enforce input length limits upstream — reject or truncate inputs exceeding 1,000 characters before they reach preprocess_string().
DETECT

Alert on Python worker processes sustaining >80% CPU for >30 seconds on ML infrastructure.
DEPENDENCY SCAN

Run pip-audit or safety check against your transformers dependency tree across all environments (dev, staging, prod, CI).

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2.5 - AI system availability and resilience

NIST AI RMF

MANAGE 2.4 - Residual risks to AI system trustworthiness are managed

OWASP LLM Top 10

LLM10 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-2099?

HuggingFace Transformers < 4.50.0 contains a ReDoS flaw in its testing utility module that can pin a Python worker at 100% CPU via a crafted newline payload—no authentication required. While the vulnerable function lives in testing infrastructure, any pipeline or service passing untrusted input through preprocess_string() is exposed. Patch to transformers 4.50.0 immediately; no effective workaround exists for the root cause.

Is CVE-2025-2099 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2099, increasing the risk of exploitation.

How to fix CVE-2025-2099?

1. PATCH: Upgrade immediately — pip install --upgrade 'transformers>=4.50.0'. Verify with: pip show transformers | grep Version. 2. AUDIT: Identify any production service or pipeline importing transformers.testing_utils and prioritize those for emergency patching. 3. WORKAROUND (if patching is blocked): Enforce input length limits upstream — reject or truncate inputs exceeding 1,000 characters before they reach preprocess_string(). 4. DETECT: Alert on Python worker processes sustaining >80% CPU for >30 seconds on ML infrastructure. 5. DEPENDENCY SCAN: Run pip-audit or safety check against your transformers dependency tree across all environments (dev, staging, prod, CI).

What systems are affected by CVE-2025-2099?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, CI/CD ML pipelines, shared ML platforms, model development environments.

What is the CVSS score for CVE-2025-2099?

CVE-2025-2099 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.51%.

What is the AI security impact?

Affected AI Architectures

training pipelinesCI/CD ML pipelinesshared ML platformsmodel development environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM10

What are the technical details?

Original Advisory

A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

Exploitation Scenario

An attacker identifies a CI/CD pipeline or code documentation service that runs transformers test utilities against submitted code. They craft a pull request or API submission containing a docstring with a code block followed by 5,000+ consecutive newline characters. When preprocess_string() evaluates this input, the nested quantifiers in the internal regex trigger catastrophic backtracking—the process stalls at 100% CPU for minutes per request. By flooding the endpoint with concurrent malicious payloads, the attacker exhausts all available worker threads, taking the CI pipeline or ML service offline. No credentials, no prior access, no ML expertise required.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary CWE-1333 Inefficient Regular Expression Complexity

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

[Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
[System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.