Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-3262

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.

Published

2025-07-07T10:15:27.200

Last Modified

2025-08-02T01:20:02.673

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-1333

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	huggingface	transformers	< 4.51.0	Yes

References

https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76 Patch ([email protected])
https://huntr.com/bounties/ecf5ccc4-39e7-4fb3-b547-14a41d31a184 Exploit, Third Party Advisory ([email protected])
https://huntr.com/bounties/ecf5ccc4-39e7-4fb3-b547-14a41d31a184 Exploit, Third Party Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)