CVE-2025-6921

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-6921

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6921.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-6921

Aliases

GHSA-4w7r-h757-3r74

Related

CGA-m94h-gv3j-x4p3

Published

2025-09-23T14:15:41.387Z

Modified

2026-03-13T03:49:57.977441Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the douseweightdecay method, which processes user-controlled regular expressions in the includeinweightdecay and excludefromweightdecay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.

References

Affected packages

Git / github.com/huggingface/transformers

Affected ranges

Type

GIT

Repo

https://github.com/huggingface/transformers

Events

Introduced

Fixed

67ddc82fbc7e52c6f42a395b4a6d278c55b77a39

Fixed

47c34fba5c303576560cb29767efb452ff12b8be

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.53.0"
        }
    ]
}

Affected versions

0.*

0.1.2

0.5.0

1.*

1.0

1.1.0

1.2.0

3.*

3.0.1

4.*

4.3.0.rc1

v0.*

v0.1.2

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v0.6.1

v0.6.2

v1.*

v1.0.0

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.10.0

v2.11.0

v2.2.0

v2.2.1

v2.2.2

v2.3.0

v2.4.0

v2.4.1

v2.5.0

v2.5.1

v2.6.0

v2.7.0

v2.8.0

v2.9.0

v2.9.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.1.0

v3.2.0

v3.3.0

v3.3.1

v3.4.0

v3.5.0

v4.*

v4.0.0-rc-1

v4.1.0

v4.1.1

v4.10.0

v4.11.0

v4.12.0

v4.13.0

v4.14.0

v4.15.0

v4.16.0

v4.2.0

v4.3.0.rc1

v4.33.1

v4.4.0

v4.49.0-AyaVision

v4.49.0-Mistral-3

v4.49.0-SigLIP-2

v4.49.0-SmolVLM-2

v4.5.0

v4.50.3-DeepSeek-3

v4.51.3-BitNet-preview

v4.51.3-CSM-preview

v4.51.3-D-FINE-preview

v4.51.3-GraniteMoeHybrid-preview

v4.51.3-InternVL-preview

v4.51.3-Janus-preview

v4.51.3-LlamaGuard-preview

v4.51.3-MLCD-preview

v4.51.3-Qwen2.5-Omni-preview

v4.51.3-SAM-HQ-preview

v4.51.3-TimesFM-preview

v4.52.4-ColQwen2-preview

v4.52.4-Kyutai-STT-preview

v4.52.4-VJEPA-2-preview

v4.6.0

v4.7.0

v4.8.0

v4.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6921.json"