Regular Expression Denial of Service (ReDoS) in huggingface/transformers
Description
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the convert_tf_weight_name_to_pt_weight_name() function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern /[^/]*___([^/]*)/ that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A ReDoS vulnerability in Hugging Face Transformers' weight name conversion function allows crafted input to cause excessive CPU consumption via catastrophic backtracking.
Vulnerability
Overview
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the convert_tf_weight_name_to_pt_weight_name() function. This function converts TensorFlow weight names to PyTorch format using the regex pattern /[^/]*___([^/]*)/. The regex is susceptible to catastrophic backtracking when processing crafted input strings containing many ___ separators, leading to excessive CPU consumption and potential service disruption [1][2].
Exploitation
Prerequisites
An attacker can exploit this vulnerability by providing a specially crafted TensorFlow weight name to the conversion function. The attack does not require authentication if the function is exposed via an API or service that accepts user-supplied weight names. The crafted input must contain a long string with multiple ___ patterns to trigger the backtracking behavior. The vulnerability affects versions up to 4.51.3 [2].
Impact
Successful exploitation results in a denial of service (DoS) condition, causing resource exhaustion and potentially impacting API services that rely on model conversion between TensorFlow and PyTorch formats. This can lead to service disruption and degraded performance for users of the affected library [2].
Mitigation
The vulnerability is fixed in Transformers version 4.53.0. The fix introduces a validation check that raises a ValueError if the TF variable name exceeds 2048 characters and contains ___, or if the count of ___ separators exceeds 10, preventing the regex from being evaluated on malicious input [3][4]. Users are advised to upgrade to version 4.53.0 or later.
- GitHub - huggingface/transformers: 🤗 Transformers: the model-definition framework for state-of-the-art machine learning models in text, vision, audio, and multimodal models, for both inference and training.
- NVD - CVE-2025-5197
- slight tweak to conditional · huggingface/transformers@944b560
- Stop TF weight rename reDOS (#38325) · huggingface/transformers@701caef
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
transformersPyPI | < 4.53.0 | 4.53.0 |
Affected products
2- Range: <4.53.0
- huggingface/huggingface/transformersv5Range: unspecified
Patches
2701caef704e3Stop TF weight rename reDOS (#38325)
1 file changed · +3 −0
src/transformers/modeling_tf_pytorch_utils.py+3 −0 modified@@ -78,6 +78,9 @@ def convert_tf_weight_name_to_pt_weight_name( tf_name = tf_name[len(name_scope) :] tf_name = tf_name.lstrip("/") tf_name = tf_name.replace(":0", "") # device ids + if (len(tf_name) > 2048 and "___" in tf_name) or tf_name.count("___") > 10: + # ReDOS check + raise ValueError("TF variable name is too long or contains too many ___ separators: " + tf_name) tf_name = re.sub( r"/[^/]*___([^/]*)/", r"/\1/", tf_name ) # '$1___$2' is replaced by $2 (can be used to duplicate or remove layers in TF2.0 vs PyTorch)
944b56000be5slight tweak to conditional
1 file changed · +1 −0
src/transformers/modeling_tf_pytorch_utils.py+1 −0 modified@@ -79,6 +79,7 @@ def convert_tf_weight_name_to_pt_weight_name( tf_name = tf_name.lstrip("/") tf_name = tf_name.replace(":0", "") # device ids if (len(tf_name) > 2048 and "___" in tf_name) or tf_name.count("___") > 10: + # ReDOS check raise ValueError("TF variable name is too long or contains too many ___ separators: " + tf_name) tf_name = re.sub( r"/[^/]*___([^/]*)/", r"/\1/", tf_name
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9356-575x-2w9mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-5197ghsaADVISORY
- github.com/huggingface/transformers/commit/701caef704e356dc2f9331cc3fd5df0eccb4720aghsaWEB
- github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0bghsaWEB
- huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bfghsaWEB
News mentions
0No linked articles in our index yet.