Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.

INFO

Published Date :

2025-07-07T09:54:39.079Z

Last Modified :

2025-07-07T15:19:42.413Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2025-3262 vulnerability.

Vendors Products
Huggingface
  • Transformers
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-3262.

URL Resource
https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76 cve-icon cve-icon cve-icon
https://huntr.com/bounties/ecf5ccc4-39e7-4fb3-b547-14a41d31a184 cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-3262 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-3262 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact