CVE-2025-3263 — MEDIUM (CVSS 5.3) AI Security Vulnerability

Q: Is CVE-2025-3263 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3263, increasing the risk of exploitation.

Q: How to fix CVE-2025-3263?

1. PATCH: Upgrade transformers to >= 4.51.0 immediately (commit 0720e206c6ba). 2. WORKAROUND (if patching delayed): Allowlist and validate model/config path inputs before they reach transformers; reject strings not matching a strict expected pattern. 3. DETECT: Alert on sustained >80% CPU usage on inference nodes correlated with configuration loading operations; monitor for unusual request patterns to model-loading endpoints. 4. AUDIT: Scan your SBOM or dependency manifests for transformers < 4.51.0 across all services, including transitive dependencies.

Q: What systems are affected by CVE-2025-3263?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, agent frameworks.

Q: What is the CVSS score for CVE-2025-3263?

CVE-2025-3263 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.10%.

CISO Take

Patch Hugging Face Transformers to 4.51.0 in any environment where model configuration loading is reachable from external input. The ReDoS in `get_configuration_file()` allows unauthenticated network attackers to exhaust CPU via crafted path strings, degrading or denying model serving. Low EPSS (0.0004) and no active exploitation, but the no-auth, network-accessible attack vector demands patching in the next maintenance window.

Risk Assessment

Medium risk in isolation, elevated in practice for public-facing inference APIs. CVSS 5.3 with AV:N/AC:L/PR:N/UI:N makes exploitation trivially accessible — no credentials or AI knowledge required. Impact is limited to availability (A:L), but repeated requests against multi-tenant inference infrastructure can cascade into full service disruption. EPSS of 0.0004 indicates very low current exploitation probability; risk rises sharply if PoC tooling matures.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
transformers	pip	—	No patch
160.4K OpenSSF 4.9 7.9K dependents Pushed yesterday 39% patched ~101d to patch Full package profile →
transformers	pip	< 4.51.0	`4.51.0`
160.4K OpenSSF 4.9 7.9K dependents Pushed yesterday 39% patched ~101d to patch Full package profile →

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 26% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A Low

Recommended Action

4 steps

PATCH

Upgrade transformers to >= 4.51.0 immediately (commit 0720e206c6ba).
WORKAROUND (if patching delayed): Allowlist and validate model/config path inputs before they reach transformers; reject strings not matching a strict expected pattern.
DETECT

Alert on sustained >80% CPU usage on inference nodes correlated with configuration loading operations; monitor for unusual request patterns to model-loading endpoints.
AUDIT

Scan your SBOM or dependency manifests for transformers < 4.51.0 across all services, including transitive dependencies.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 17 - Quality management system Article 9 - Risk management system

ISO 42001

A.6.1.2 - AI risk management process A.9.3 - Monitoring of AI system performance

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value of AI systems over time MAP 5.1 - Likelihood of vulnerabilities and unintended outcomes is examined

OWASP LLM Top 10

LLM03 - Supply Chain LLM10 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-3263?

Patch Hugging Face Transformers to 4.51.0 in any environment where model configuration loading is reachable from external input. The ReDoS in `get_configuration_file()` allows unauthenticated network attackers to exhaust CPU via crafted path strings, degrading or denying model serving. Low EPSS (0.0004) and no active exploitation, but the no-auth, network-accessible attack vector demands patching in the next maintenance window.

Is CVE-2025-3263 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3263, increasing the risk of exploitation.

How to fix CVE-2025-3263?

1. PATCH: Upgrade transformers to >= 4.51.0 immediately (commit 0720e206c6ba). 2. WORKAROUND (if patching delayed): Allowlist and validate model/config path inputs before they reach transformers; reject strings not matching a strict expected pattern. 3. DETECT: Alert on sustained >80% CPU usage on inference nodes correlated with configuration loading operations; monitor for unusual request patterns to model-loading endpoints. 4. AUDIT: Scan your SBOM or dependency manifests for transformers < 4.51.0 across all services, including transitive dependencies.

What systems are affected by CVE-2025-3263?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, agent frameworks.

What is the CVSS score for CVE-2025-3263?

CVE-2025-3263 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Exploitation Scenario

An attacker identifies a public-facing model serving API that accepts a model name or configuration path parameter and calls `get_configuration_file()` internally. They craft a malicious string engineered to trigger catastrophic backtracking in the regex `config\.(.*)\..json` — for example, a long string with many repeated characters matching the pattern prefix but no valid termination. Sending 10-20 concurrent requests with this payload pins all inference worker CPU threads at 100%, causing legitimate inference requests to time out. No authentication, ML knowledge, or advanced tooling required — a simple curl loop suffices.