AI Threat Alert
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method....
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| transformers | pip | < 4.53.0 | 4.53.0 |
| transformers | pip | — | No patch |
Severity & Risk
Recommended Action
Patch available
Update transformers to version 4.53.0
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
- github.com/advisories/GHSA-59p9-h35m-wg4g
- github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
- github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
- huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36
- nvd.nist.gov/vuln/detail/CVE-2025-6638
- github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be Patch
- huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36 Exploit 3rd Party