CVE-2025-6051

Source
https://cve.org/CVERecord?id=CVE-2025-6051
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6051.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-6051
Aliases
Related
Published
2025-09-14T17:03:02.953Z
Modified
2026-07-08T07:16:28.326492344Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Regular Expression Denial of Service (ReDoS) in huggingface/transformers
Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the normalize_numbers() method of the EnglishNormalizer class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/6xxx/CVE-2025-6051.json",
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-1333"
    ]
}
References

Affected packages

Git / github.com/huggingface/transformers

Affected ranges

Type
GIT
Repo
https://github.com/huggingface/transformers
Events
Database specific
{
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:huggingface:transformers:4.52.4:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "4.52.4"
        },
        {
            "last_affected": "4.52.4"
        }
    ]
}

Affected versions

4.*
4.52.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6051.json"