Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-2099

Опубликовано: 19 мая 2025
Источник: redhat
CVSS3: 7.5

Описание

A vulnerability in the preprocess_string() function of the transformers.testing_utils module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

A flaw was found in the preprocess_string() function of the transformers.testing_utils module in HuggingFace Transformers. This vulnerability allows a Regular Expression Denial of Service (ReDoS) via a specially crafted input string containing many newline characters that trigger excessive backtracking.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Lightspeedopenshift-lightspeed-tech-preview/lightspeed-service-api-rhel9Not affected
Red Hat Ansible Automation Platform 2ansible-automation-platform-24/de-minimal-rhel8Not affected
Red Hat Ansible Automation Platform 2ansible-automation-platform-24/de-minimal-rhel9Not affected
Red Hat Ansible Automation Platform 2ansible-automation-platform-25/de-minimal-rhel8Not affected
Red Hat Ansible Automation Platform 2ansible-automation-platform-25/de-minimal-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-amd-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-aws-nvidia-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-azure-amd-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-azure-nvidia-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI)rhelai1/bootc-gcp-nvidia-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-1333
https://bugzilla.redhat.com/show_bug.cgi?id=2367239transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-2099

CVSS3: 7.5
nvd
7 месяцев назад

A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

github логотип

GHSA-qq3j-4f4f-9583

CVSS3: 5.3
github
7 месяцев назад

Hugging Face Transformers Regular Expression Denial of Service

7.5 High

CVSS3