CVE-2025-3263
NONE EPSS 34.5%
Published Jul 7, 202511mo ago · Modified Jun 17, 20261w ago
Published Jul 7, 2025 11mo ago
Last Modified Jun 17, 2026 1w ago
Description
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.
Threat Intelligence
EPSS Exploit Probability
34.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-1333
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| huggingface | transformers | * | ≥4.49.0 – <4.51.0 |
References 2
- github.com https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76
- huntr.com https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29
Remediation
- github.com https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76