Vulnerability Description
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Huggingface | Transformers | <= 4.48.3 |
Related Weaknesses (CWE)
References
- https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be0494272Patch
- https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4ExploitThird Party Advisory
FAQ
What is CVE-2025-2099?
CVE-2025-2099 is a vulnerability with a CVSS score of 7.5 (HIGH). A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) a...
How severe is CVE-2025-2099?
CVE-2025-2099 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-2099?
Check the references section above for vendor advisories and patch information. Affected products include: Huggingface Transformers.