Vulnerability Description
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3 (latest).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Huggingface | Transformers | < 4.48.0 |
Related Weaknesses (CWE)
References
- https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82Patch
- https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98Vendor Advisory
- https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98Vendor Advisory
FAQ
What is CVE-2024-12720?
CVE-2024-12720 is a vulnerability with a CVSS score of 7.5 (HIGH). A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in t...
How severe is CVE-2024-12720?
CVE-2024-12720 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-12720?
Check the references section above for vendor advisories and patch information. Affected products include: Huggingface Transformers.