CVE-2025-2099
MEDIUM5.3EPSS 0.09%Hugging Face Transformers Regular Expression Denial of Service
發布日:2025/5/19修改日:2025/9/25
描述
A Regular Expression Denial of Service (ReDoS) exists in the `preprocess_string()` function of the `transformers.testing_utils` module. In versions **before 4.50.0**, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to `preprocess_string()` (or code paths that call it) can force excessive CPU usage and degrade availability. **Fix:** released in **4.50.0**, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1]) * **Affected:** `< 4.50.0` * **Patched:** `4.50.0`
受影響套件(2)
- PyPI/transformersfrom 0, < 4.50.0
- PyPI/transformersfrom 0, < 8cb522b4190bd556ce51be04942720650b1a3e57 | from 0, < 4.49.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-2099
- PATCHhttps://github.com/huggingface/transformers
- WEBhttps://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
- WEBhttps://github.com/huggingface/transformers/pull/36648
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml
- WEBhttps://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4