Описание
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the normalize_numbers() method of the EnglishNormalizer class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library’s EnglishNormalizer.normalize_numbers method of the CLVP model. Maliciously crafted long numeric strings cause excessive CPU usage due to inefficient regex processing, leading to potential service disruption.
Отчет
This ReDoS vulnerability is classified as a Moderate issue because, while it does not compromise confidentiality or integrity, it can significantly impact the availability of services using the affected component. Attackers can exploit this flaw by sending specially crafted long numeric inputs that cause excessive CPU consumption, potentially slowing down or crashing text processing pipelines, such as text-to-speech systems. Although it requires no special privileges or user interaction, the impact is limited to resource exhaustion rather than data theft or system takeover.
Меры по смягчению последствий
For mitigation, it’s recommended to implement input validation to limit the length and complexity of numeric strings processed by the EnglishNormalizer. Applying rate limiting and monitoring CPU usage can also help detect and prevent potential abuse. For services exposed to untrusted inputs, consider adding sandboxing or timeouts to avoid prolonged processing caused by malicious payloads.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed-tech-preview/lightspeed-rag-tool-rhel9 | Fix deferred | ||
| Red Hat AI Inference Server | rhaiis/vllm-cuda-rhel9 | Fix deferred | ||
| Red Hat AI Inference Server | rhaiis/vllm-rocm-rhel9 | Fix deferred | ||
| Red Hat AI Inference Server | rhaiis/vllm-tpu-rhel9 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel9 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel8 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel9 | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel8 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.
Hugging Face Transformers library has Regular Expression Denial of Service
Уязвимость функции normalize_numbers() библиотеки Hugging Face Transformers, позволяющая нарушителю вызвать отказ в обслуживании (ReDos)
EPSS
5.3 Medium
CVSS3