AI Threat Alert

CVE-2025-3933: Transformers: ReDoS in DonutProcessor causes DoS

GHSA-37mw-44qp-f5jm MEDIUM PoC AVAILABLE CISA: TRACK*
Published July 11, 2025
CISO Take

If your document-processing pipelines use Hugging Face Transformers' Donut model (DonutProcessor), upgrade to 4.52.1 now. This is network-exploitable with zero authentication required, making any public-facing endpoint using this processor a trivial DoS target. Impact is availability-only—no data leakage—but service disruption requires minimal attacker skill.

What is the risk?

Moderate operational risk despite low CVSS (5.3). The attack profile is highly favorable for adversaries: AV:N/AC:L/PR:N/UI:N means zero friction to exploit remotely. However, blast radius is scoped to services specifically using DonutProcessor for document understanding tasks. EPSS of 0.00035 reflects low real-world exploitation today, but any public API endpoint accepting unvalidated document input is a standing target. Cloud-hosted document processing workloads face secondary cost-exhaustion risk.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Transformers pip No patch
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →
Transformers pip <= 4.51.3 4.52.1
161.8K OpenSSF 6.4 8.3K dependents Pushed 4d ago 40% patched ~92d to patch Full package profile →

How severe is it?

CVSS 3.1
5.3 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 35% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A Low

What should I do?

6 steps

  1. PATCH

    Upgrade transformers to >= 4.52.1 across all environments.

  2. AUDIT

    Enumerate affected deployments with pip show transformers or lockfile scanning in CI/CD.

  3. WORKAROUND (pre-patch): Add input length caps and strip/reject tag-pattern inputs before passing to DonutProcessor.

  4. HARDEN

    Enforce rate limiting and request timeouts on document ingestion endpoints.

  5. MONITOR

    Alert on sustained CPU spikes in document-processing workers as a detection signal.

  6. SBOM

    If you maintain a software bill of materials for AI components, flag this dependency version for remediation tracking.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system for high-risk AI
ISO 42001
6.1.2 - AI risk assessment
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain and monitor AI risk management
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-3933?

If your document-processing pipelines use Hugging Face Transformers' Donut model (DonutProcessor), upgrade to 4.52.1 now. This is network-exploitable with zero authentication required, making any public-facing endpoint using this processor a trivial DoS target. Impact is availability-only—no data leakage—but service disruption requires minimal attacker skill.

Is CVE-2025-3933 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-3933, increasing the risk of exploitation.

How to fix CVE-2025-3933?

1. PATCH: Upgrade transformers to >= 4.52.1 across all environments. 2. AUDIT: Enumerate affected deployments with `pip show transformers` or lockfile scanning in CI/CD. 3. WORKAROUND (pre-patch): Add input length caps and strip/reject tag-pattern inputs before passing to DonutProcessor. 4. HARDEN: Enforce rate limiting and request timeouts on document ingestion endpoints. 5. MONITOR: Alert on sustained CPU spikes in document-processing workers as a detection signal. 6. SBOM: If you maintain a software bill of materials for AI components, flag this dependency version for remediation tracking.

What systems are affected by CVE-2025-3933?

This vulnerability affects the following AI/ML architecture patterns: document processing pipelines, model serving, OCR and document understanding systems.

What is the CVSS score for CVE-2025-3933?

CVE-2025-3933 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.43%.

What is the AI security impact?

Affected AI Architectures

document processing pipelinesmodel servingOCR and document understanding systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 6.1.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.

Exploitation Scenario

Attacker identifies a public document-processing API (invoice digitizer, form parser) running HF Transformers <= 4.51.3. Crafts a malicious payload that, when processed by the Donut model, generates deeply nested tag sequences (e.g., `<s_a<s_a<s_a...>`) in the model output. The `token2json()` regex `<s_(.*?)>` undergoes catastrophic backtracking against this input, pinning a CPU core at near-100% for multiple seconds per request. Attacker sends 20-50 concurrent requests via a script, causing full service unavailability or triggering auto-scaling cost explosion in cloud environments. No authentication, no ML knowledge, and no model access required—only a crafted HTTP POST.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary CWE-1333 Inefficient Regular Expression Complexity

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

  • [Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
  • [System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Timeline

Published
July 11, 2025
Last Modified
August 7, 2025
First Seen
July 11, 2025

Related Vulnerabilities

CRITICAL CVE-2026-26210 9.8

KTransformers: pickle RCE via unauthenticated ZMQ socket

Same package: transformers
CRITICAL CVE-2024-3568 9.6

HuggingFace Transformers: RCE via pickle deserialization

Same package: transformers
CRITICAL CVE-2026-5241 9.6

transformers: trust_remote_code bypass enables RCE via model load

Same package: transformers
HIGH CVE-2023-6730 8.8

HuggingFace Transformers: RCE via unsafe deserialization

Same package: transformers
HIGH CVE-2024-11392 8.8

HuggingFace Transformers: RCE via config deserialization

Same package: transformers
Back to Threat Feed