CVE-2025-6921

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-6921

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6921.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-6921

Aliases

GHSA-4w7r-h757-3r74

Published

2025-09-23T14:15:41Z

Modified

2025-09-24T20:41:58Z

Summary

[none]

Details

The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the douseweightdecay method, which processes user-controlled regular expressions in the includeinweightdecay and excludefromweightdecay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.

References

Affected packages

Git / github.com/huggingface/transformers

Affected ranges

Type: GIT
Repo: https://github.com/huggingface/transformers
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

47c34fba5c303576560cb29767efb452ff12b8be