CVE-2025-6051 — MEDIUM (5.3)

Vulnerability Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Huggingface	Transformers	4.52.4

Related Weaknesses (CWE)

CWE-1333

References

https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565Patch
https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9dExploitIssue TrackingPatch

FAQ

What is CVE-2025-6051?

CVE-2025-6051 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` cl...

How severe is CVE-2025-6051?

CVE-2025-6051 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-6051?

Check the references section above for vendor advisories and patch information. Affected products include: Huggingface Transformers.