CVE-2025-3262: Transformers ReDoS — HIGH

Q: Is CVE-2025-3262 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3262, increasing the risk of exploitation.

Q: How to fix CVE-2025-3262?

1. Upgrade transformers to 4.51.0 or later — patch commits 0720e206 and 126abe34 on GitHub. 2. Audit all AI/ML environments with `pip show transformers` or `pip list | grep transformers` to identify affected versions. 3. If immediate upgrade is blocked, apply input length limits and sanitize user-controlled strings before they reach the transformers chat interface. 4. Deploy CPU utilization alerts on transformer-serving processes — anomalous CPU spikes correlated with incoming requests are the primary detection signal. 5. Apply rate limiting on any public-facing endpoint using the transformers chat command. 6. Add transformers to your SCA/dependency scanning pipeline to catch future vulnerable versions at build time.

Q: What systems are affected by CVE-2025-3262?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, model serving, chatbot deployments, agent frameworks.

Q: What is the CVSS score for CVE-2025-3262?

CVE-2025-3262 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.43%.

CISO Take

HuggingFace Transformers 4.49.0 contains a ReDoS vulnerability in the chat CLI command that allows unauthenticated network attackers to exhaust CPU resources with a single crafted string. Upgrade to 4.51.0 immediately. Risk is bounded to deployments where the transformers chat interface accepts external untrusted input — assess your exposure before treating this as a fire drill.

What is the risk?

Moderate operational risk despite CVSS 7.5. The very low EPSS score (0.00132) and narrow attack surface — specifically the chat CLI command parser — limit real-world exploitation probability significantly. The network-accessible, no-auth, no-user-interaction attack path is the most concerning factor; any deployment exposing the transformers chat interface to the internet is directly vulnerable. Impact is availability-only with no data exfiltration or code execution risk, but a successful attack achieves complete service disruption.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Transformers	pip	—	No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →
Transformers	pip	>= 4.49.0, < 4.51.0	`4.51.0`
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

6 steps

Upgrade transformers to 4.51.0 or later — patch commits 0720e206 and 126abe34 on GitHub.
Audit all AI/ML environments with pip show transformers or pip list | grep transformers to identify affected versions.
If immediate upgrade is blocked, apply input length limits and sanitize user-controlled strings before they reach the transformers chat interface.
Deploy CPU utilization alerts on transformer-serving processes — anomalous CPU spikes correlated with incoming requests are the primary detection signal.
Apply rate limiting on any public-facing endpoint using the transformers chat command.
Add transformers to your SCA/dependency scanning pipeline to catch future vulnerable versions at build time.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-3262?

HuggingFace Transformers 4.49.0 contains a ReDoS vulnerability in the chat CLI command that allows unauthenticated network attackers to exhaust CPU resources with a single crafted string. Upgrade to 4.51.0 immediately. Risk is bounded to deployments where the transformers chat interface accepts external untrusted input — assess your exposure before treating this as a fire drill.

Is CVE-2025-3262 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3262, increasing the risk of exploitation.

How to fix CVE-2025-3262?

1. Upgrade transformers to 4.51.0 or later — patch commits 0720e206 and 126abe34 on GitHub. 2. Audit all AI/ML environments with `pip show transformers` or `pip list | grep transformers` to identify affected versions. 3. If immediate upgrade is blocked, apply input length limits and sanitize user-controlled strings before they reach the transformers chat interface. 4. Deploy CPU utilization alerts on transformer-serving processes — anomalous CPU spikes correlated with incoming requests are the primary detection signal. 5. Apply rate limiting on any public-facing endpoint using the transformers chat command. 6. Add transformers to your SCA/dependency scanning pipeline to catch future vulnerable versions at build time.

What systems are affected by CVE-2025-3262?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, model serving, chatbot deployments, agent frameworks.

What is the CVSS score for CVE-2025-3262?

CVE-2025-3262 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.43%.

What is the AI security impact?

Affected AI Architectures

LLM chat interfacesmodel servingchatbot deploymentsagent frameworks

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM10:2025

What are the technical details?

Original Advisory

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.

Exploitation Scenario

An adversary identifies a public-facing AI chatbot or assistant service powered by HuggingFace Transformers 4.49.0. They craft a string that almost matches the SETTING_RE regex pattern — using repetitive characters designed to trigger catastrophic backtracking in the regex engine. When submitted as a chat setting parameter, the Python regex engine enters exponential time complexity. The attacker dispatches a burst of such requests (trivially automated), pinning the service CPU at 100% within seconds and rendering it unavailable to legitimate users. No credentials, no prior AI/ML knowledge, and no access to source code are required — only awareness of the affected regex location, which is publicly documented in the Huntr advisory.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary CWE-1333 Inefficient Regular Expression Complexity

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

[Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
[System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.