CVE-2025-3262 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2025-3262 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3262, increasing the risk of exploitation.

Q: How to fix CVE-2025-3262?

1. Upgrade transformers to 4.51.0 or later — patch commits 0720e206 and 126abe34 on GitHub. 2. Audit all AI/ML environments with `pip show transformers` or `pip list | grep transformers` to identify affected versions. 3. If immediate upgrade is blocked, apply input length limits and sanitize user-controlled strings before they reach the transformers chat interface. 4. Deploy CPU utilization alerts on transformer-serving processes — anomalous CPU spikes correlated with incoming requests are the primary detection signal. 5. Apply rate limiting on any public-facing endpoint using the transformers chat command. 6. Add transformers to your SCA/dependency scanning pipeline to catch future vulnerable versions at build time.

Q: What systems are affected by CVE-2025-3262?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, model serving, chatbot deployments, agent frameworks.

Q: What is the CVSS score for CVE-2025-3262?

CVE-2025-3262 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.32%.

CISO Take

HuggingFace Transformers 4.49.0 contains a ReDoS vulnerability in the chat CLI command that allows unauthenticated network attackers to exhaust CPU resources with a single crafted string. Upgrade to 4.51.0 immediately. Risk is bounded to deployments where the transformers chat interface accepts external untrusted input — assess your exposure before treating this as a fire drill.

Risk Assessment

Moderate operational risk despite CVSS 7.5. The very low EPSS score (0.00132) and narrow attack surface — specifically the chat CLI command parser — limit real-world exploitation probability significantly. The network-accessible, no-auth, no-user-interaction attack path is the most concerning factor; any deployment exposing the transformers chat interface to the internet is directly vulnerable. Impact is availability-only with no data exfiltration or code execution risk, but a successful attack achieves complete service disruption.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
transformers	pip	—	No patch
160.2K OpenSSF 4.9 7.8K dependents Pushed 6d ago 39% patched ~101d to patch Full package profile →
transformers	pip	>= 4.49.0, < 4.51.0	`4.51.0`
160.2K OpenSSF 4.9 7.8K dependents Pushed 6d ago 39% patched ~101d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 55% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

Upgrade transformers to 4.51.0 or later — patch commits 0720e206 and 126abe34 on GitHub.
Audit all AI/ML environments with pip show transformers or pip list | grep transformers to identify affected versions.
If immediate upgrade is blocked, apply input length limits and sanitize user-controlled strings before they reach the transformers chat interface.
Deploy CPU utilization alerts on transformer-serving processes — anomalous CPU spikes correlated with incoming requests are the primary detection signal.
Apply rate limiting on any public-facing endpoint using the transformers chat command.
Add transformers to your SCA/dependency scanning pipeline to catch future vulnerable versions at build time.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system operation and monitoring

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-3262?

HuggingFace Transformers 4.49.0 contains a ReDoS vulnerability in the chat CLI command that allows unauthenticated network attackers to exhaust CPU resources with a single crafted string. Upgrade to 4.51.0 immediately. Risk is bounded to deployments where the transformers chat interface accepts external untrusted input — assess your exposure before treating this as a fire drill.

Is CVE-2025-3262 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3262, increasing the risk of exploitation.

How to fix CVE-2025-3262?

1. Upgrade transformers to 4.51.0 or later — patch commits 0720e206 and 126abe34 on GitHub. 2. Audit all AI/ML environments with `pip show transformers` or `pip list | grep transformers` to identify affected versions. 3. If immediate upgrade is blocked, apply input length limits and sanitize user-controlled strings before they reach the transformers chat interface. 4. Deploy CPU utilization alerts on transformer-serving processes — anomalous CPU spikes correlated with incoming requests are the primary detection signal. 5. Apply rate limiting on any public-facing endpoint using the transformers chat command. 6. Add transformers to your SCA/dependency scanning pipeline to catch future vulnerable versions at build time.

What systems are affected by CVE-2025-3262?

This vulnerability affects the following AI/ML architecture patterns: LLM chat interfaces, model serving, chatbot deployments, agent frameworks.

What is the CVSS score for CVE-2025-3262?

CVE-2025-3262 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.32%.

Technical Details

NVD Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.

Exploitation Scenario

An adversary identifies a public-facing AI chatbot or assistant service powered by HuggingFace Transformers 4.49.0. They craft a string that almost matches the SETTING_RE regex pattern — using repetitive characters designed to trigger catastrophic backtracking in the regex engine. When submitted as a chat setting parameter, the Python regex engine enters exponential time complexity. The attacker dispatches a burst of such requests (trivially automated), pinning the service CPU at 100% within seconds and rendering it unavailable to legitimate users. No credentials, no prior AI/ML knowledge, and no access to source code are required — only awareness of the affected regex location, which is publicly documented in the Huntr advisory.