CVE-2025-5197

NONE EPSS 28.0%
Published Aug 6, 202510mo ago · Modified Jun 17, 20261w ago
Find Similar
Published Aug 6, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago

Description

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.

Threat Intelligence

EPSS Exploit Probability
28.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-1333

Affected Products 1

VendorProductVersionRange
huggingfacetransformers* <4.53.0

References 2

  • github.com https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b
    Patch
  • huntr.com https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf
    ExploitIssue TrackingPatchThird Party Advisory

Remediation

  • github.com https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b
    Patch
  • huntr.com https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf
    ExploitIssue TrackingPatchThird Party Advisory