CVE-2025-6638

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be	Patch
https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:huggingface:transformers:4.52.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-09-12 11:15

Updated : 2025-10-21 13:33

NVD link : CVE-2025-6638

Mitre link : CVE-2025-6638

CVE.ORG link : CVE-2025-6638

JSON object : View

Products Affected

huggingface

transformers

CWE

CWE-1333

Inefficient Regular Expression Complexity

{"id": "CVE-2025-6638", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-09-12T11:15:31.770", "references": [{"url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service."}], "lastModified": "2025-10-21T13:33:08.580", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:huggingface:transformers:4.52.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA362206-8A09-4249-A522-427C8793D241"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}