AI Threat Alert

CVE-2025-3263: Transformers: ReDoS in config loader causes serving DoS

GHSA-q2wp-rjmx-x6x9 MEDIUM PoC AVAILABLE CISA: TRACK*
Published July 7, 2025
CISO Take

Patch Hugging Face Transformers to 4.51.0 in any environment where model configuration loading is reachable from external input. The ReDoS in `get_configuration_file()` allows unauthenticated network attackers to exhaust CPU via crafted path strings, degrading or denying model serving. Low EPSS (0.0004) and no active exploitation, but the no-auth, network-accessible attack vector demands patching in the next maintenance window.

What is the risk?

Medium risk in isolation, elevated in practice for public-facing inference APIs. CVSS 5.3 with AV:N/AC:L/PR:N/UI:N makes exploitation trivially accessible — no credentials or AI knowledge required. Impact is limited to availability (A:L), but repeated requests against multi-tenant inference infrastructure can cascade into full service disruption. EPSS of 0.0004 indicates very low current exploitation probability; risk rises sharply if PoC tooling matures.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Transformers pip No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →
Transformers pip < 4.51.0 4.51.0
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 35% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A Low

What should I do?

4 steps

  1. PATCH

    Upgrade transformers to >= 4.51.0 immediately (commit 0720e206c6ba).

  2. WORKAROUND (if patching delayed): Allowlist and validate model/config path inputs before they reach transformers; reject strings not matching a strict expected pattern.

  3. DETECT

    Alert on sustained >80% CPU usage on inference nodes correlated with configuration loading operations; monitor for unusual request patterns to model-loading endpoints.

  4. AUDIT

    Scan your SBOM or dependency manifests for transformers < 4.51.0 across all services, including transitive dependencies.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 17 - Quality management system Article 9 - Risk management system
ISO 42001
A.6.1.2 - AI risk management process A.9.3 - Monitoring of AI system performance
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain value of AI systems over time MAP 5.1 - Likelihood of vulnerabilities and unintended outcomes is examined
OWASP LLM Top 10
LLM03 - Supply Chain LLM10 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2025-3263?

Patch Hugging Face Transformers to 4.51.0 in any environment where model configuration loading is reachable from external input. The ReDoS in `get_configuration_file()` allows unauthenticated network attackers to exhaust CPU via crafted path strings, degrading or denying model serving. Low EPSS (0.0004) and no active exploitation, but the no-auth, network-accessible attack vector demands patching in the next maintenance window.

Is CVE-2025-3263 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3263, increasing the risk of exploitation.

How to fix CVE-2025-3263?

1. PATCH: Upgrade transformers to >= 4.51.0 immediately (commit 0720e206c6ba). 2. WORKAROUND (if patching delayed): Allowlist and validate model/config path inputs before they reach transformers; reject strings not matching a strict expected pattern. 3. DETECT: Alert on sustained >80% CPU usage on inference nodes correlated with configuration loading operations; monitor for unusual request patterns to model-loading endpoints. 4. AUDIT: Scan your SBOM or dependency manifests for transformers < 4.51.0 across all services, including transitive dependencies.

What systems are affected by CVE-2025-3263?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, agent frameworks.

What is the CVSS score for CVE-2025-3263?

CVE-2025-3263 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.43%.

What is the AI security impact?

Affected AI Architectures

model servinginference APIstraining pipelinesagent frameworks

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 17, Article 9
ISO 42001: A.6.1.2, A.9.3
NIST AI RMF: MANAGE 2.2, MAP 5.1
OWASP LLM Top 10: LLM03, LLM10

What are the technical details?

Original Advisory

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Exploitation Scenario

An attacker identifies a public-facing model serving API that accepts a model name or configuration path parameter and calls `get_configuration_file()` internally. They craft a malicious string engineered to trigger catastrophic backtracking in the regex `config\.(.*)\..json` — for example, a long string with many repeated characters matching the pattern prefix but no valid termination. Sending 10-20 concurrent requests with this payload pins all inference worker CPU threads at 100%, causing legitimate inference requests to time out. No authentication, ML knowledge, or advanced tooling required — a simple curl loop suffices.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary CWE-1333 Inefficient Regular Expression Complexity

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

  • [Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
  • [System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Timeline

Published
July 7, 2025
Last Modified
August 7, 2025
First Seen
July 7, 2025

Related Vulnerabilities

CRITICAL CVE-2026-26210 9.8

KTransformers: pickle RCE via unauthenticated ZMQ socket

Same package: transformers
CRITICAL CVE-2024-3568 9.6

HuggingFace Transformers: RCE via pickle deserialization

Same package: transformers
CRITICAL CVE-2026-5241 9.6

transformers: trust_remote_code bypass enables RCE via model load

Same package: transformers
HIGH CVE-2023-6730 8.8

HuggingFace Transformers: RCE via unsafe deserialization

Same package: transformers
HIGH CVE-2024-11392 8.8

HuggingFace Transformers: RCE via config deserialization

Same package: transformers
Back to Threat Feed