Описание
Hugging Face Transformers Regular Expression Denial of Service
A Regular Expression Denial of Service (ReDoS) exists in the preprocess_string() function of the transformers.testing_utils module. In versions before 4.50.0, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to preprocess_string() (or code paths that call it) can force excessive CPU usage and degrade availability.
Fix: released in 4.50.0, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1])
- Affected:
< 4.50.0 - Patched:
4.50.0
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-2099
- https://github.com/huggingface/transformers/pull/36648
- https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
- https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml
- https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4
Пакеты
transformers
< 4.50.0
4.50.0
Связанные уязвимости
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.