High severity7.5NVD Advisory· Published Sep 12, 2025· Updated Jun 17, 2026
CVE-2025-6638
CVE-2025-6638
Description
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's remove_language_code() method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
transformersPyPI | < 4.53.0 | 4.53.0 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/py3.11-text-generation-inferencepkg:apk/chainguard/text-generation-inferencepkg:apk/chainguard/text-generation-inference-compatpkg:pypi/transformers
< 3.3.6-r3+ 3 more
- (no CPE)range: < 3.3.6-r3
- (no CPE)range: < 3.3.6-r3
- (no CPE)range: < 3.3.6-r3
- (no CPE)range: < 4.53.0
- huggingface/huggingface/transformersv5Range: unspecified
Patches
Vulnerability mechanics
References
5- github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8benvdPatchWEB
- huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-59p9-h35m-wg4gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-6638ghsaADVISORY
- github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099ghsaWEB
News mentions
0No linked articles in our index yet.