CVE-2025-3933 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

If your document-processing pipelines use Hugging Face Transformers' Donut model (DonutProcessor), upgrade to 4.52.1 now. This is network-exploitable with zero authentication required, making any public-facing endpoint using this processor a trivial DoS target. Impact is availability-only—no data leakage—but service disruption requires minimal attacker skill.

Risk Assessment

Moderate operational risk despite low CVSS (5.3). The attack profile is highly favorable for adversaries: AV:N/AC:L/PR:N/UI:N means zero friction to exploit remotely. However, blast radius is scoped to services specifically using DonutProcessor for document understanding tasks. EPSS of 0.00035 reflects low real-world exploitation today, but any public API endpoint accepting unvalidated document input is a standing target. Cloud-hosted document processing workloads face secondary cost-exhaustion risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
transformers	pip	—	No patch
160.2K OpenSSF 4.9 7.8K dependents Pushed 6d ago 39% patched ~101d to patch Full package profile →
transformers	pip	<= 4.51.3	`4.52.1`
160.2K OpenSSF 4.9 7.8K dependents Pushed 6d ago 39% patched ~101d to patch Full package profile →

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A Low

Recommended Action

6 steps

PATCH

Upgrade transformers to >= 4.52.1 across all environments.
AUDIT

Enumerate affected deployments with pip show transformers or lockfile scanning in CI/CD.
WORKAROUND (pre-patch): Add input length caps and strip/reject tag-pattern inputs before passing to DonutProcessor.
HARDEN

Enforce rate limiting and request timeouts on document ingestion endpoints.
MONITOR

Alert on sustained CPU spikes in document-processing workers as a detection signal.
SBOM

If you maintain a software bill of materials for AI components, flag this dependency version for remediation tracking.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system for high-risk AI

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain and monitor AI risk management

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-3933?

If your document-processing pipelines use Hugging Face Transformers' Donut model (DonutProcessor), upgrade to 4.52.1 now. This is network-exploitable with zero authentication required, making any public-facing endpoint using this processor a trivial DoS target. Impact is availability-only—no data leakage—but service disruption requires minimal attacker skill.

Is CVE-2025-3933 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3933, increasing the risk of exploitation.

How to fix CVE-2025-3933?

1. PATCH: Upgrade transformers to >= 4.52.1 across all environments. 2. AUDIT: Enumerate affected deployments with `pip show transformers` or lockfile scanning in CI/CD. 3. WORKAROUND (pre-patch): Add input length caps and strip/reject tag-pattern inputs before passing to DonutProcessor. 4. HARDEN: Enforce rate limiting and request timeouts on document ingestion endpoints. 5. MONITOR: Alert on sustained CPU spikes in document-processing workers as a detection signal. 6. SBOM: If you maintain a software bill of materials for AI components, flag this dependency version for remediation tracking.

What systems are affected by CVE-2025-3933?

This vulnerability affects the following AI/ML architecture patterns: document processing pipelines, model serving, OCR and document understanding systems.

What is the CVSS score for CVE-2025-3933?

CVE-2025-3933 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.

Exploitation Scenario

Attacker identifies a public document-processing API (invoice digitizer, form parser) running HF Transformers <= 4.51.3. Crafts a malicious payload that, when processed by the Donut model, generates deeply nested tag sequences (e.g., `<s_a<s_a<s_a...>`) in the model output. The `token2json()` regex `<s_(.*?)>` undergoes catastrophic backtracking against this input, pinning a CPU core at near-100% for multiple seconds per request. Attacker sends 20-50 concurrent requests via a script, causing full service unavailability or triggering auto-scaling cost explosion in cloud environments. No authentication, no ML knowledge, and no model access required—only a crafted HTTP POST.