VYPR
High severity7.5NVD Advisory· Published Jul 7, 2025· Updated Jun 17, 2026

CVE-2025-3262

CVE-2025-3262

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the SETTING_RE variable within the transformers/commands/chat.py file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
transformersPyPI
>= 4.49.0, < 4.51.04.51.0

Affected products

2
  • ghsa-coords
    Range: >= 4.49.0, < 4.51.0
  • huggingface/huggingface/transformersv5
    Range: unspecified

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.