CVE-2025-3263

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-3263
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3263.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-3263
Aliases
Published
2025-07-07T10:15:27.350Z
Modified
2026-02-04T22:27:32.052686Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_configuration_file() function within the transformers.configuration_utils module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern config\.(.*)\.json that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

References

Affected packages

Git / github.com/huggingface/transformers

Affected ranges

Type
GIT
Repo
https://github.com/huggingface/transformers
Events
Fixed
0720e206c6ba28887e4d60ef60a6a089f6c1cc76
Introduced
84f0186e8971a21bcda9b446a8a74f0f1a958f1c
Fixed
0720e206c6ba28887e4d60ef60a6a089f6c1cc76

Affected versions

v4.*
v4.49.0-AyaVision
v4.49.0-Mistral-3
v4.50.3-DeepSeek-3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-3263.json"