Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS02cnZnLTZ2Mm0tNGo0Ns4ABFth

Moderate EPSS: 0.00141% (0.34888 Percentile) EPSS:
Permalink JSON

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

Affected Packages Affected Versions Fixed Versions
pypi:transformers < 4.48.0 4.48.0
2,589 Dependent packages
31,800 Dependent repositories
70,457,963 Downloads last month

Affected Version Ranges

All affected versions

2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.5.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.12.5, 4.13.0, 4.14.0, 4.14.1, 4.15.0, 4.16.0, 4.16.1, 4.16.2, 4.17.0, 4.18.0, 4.19.0, 4.19.1, 4.19.2, 4.19.3, 4.19.4, 4.20.0, 4.20.1, 4.21.0, 4.21.1, 4.21.2, 4.21.3, 4.22.0, 4.22.1, 4.22.2, 4.23.0, 4.23.1, 4.24.0, 4.25.0, 4.25.1, 4.26.0, 4.26.1, 4.27.0, 4.27.1, 4.27.2, 4.27.3, 4.27.4, 4.28.0, 4.28.1, 4.29.0, 4.29.1, 4.29.2, 4.30.0, 4.30.1, 4.30.2, 4.31.0, 4.32.0, 4.32.1, 4.33.0, 4.33.1, 4.33.2, 4.33.3, 4.34.0, 4.34.1, 4.35.0, 4.35.1, 4.35.2, 4.36.0, 4.36.1, 4.36.2, 4.37.0, 4.37.1, 4.37.2, 4.38.0, 4.38.1, 4.38.2, 4.39.0, 4.39.1, 4.39.2, 4.39.3, 4.40.0, 4.40.1, 4.40.2, 4.41.0, 4.41.1, 4.41.2, 4.42.0, 4.42.1, 4.42.2, 4.42.3, 4.42.4, 4.43.0, 4.43.1, 4.43.2, 4.43.3, 4.43.4, 4.44.0, 4.44.1, 4.44.2, 4.45.0, 4.45.1, 4.45.2, 4.46.0, 4.46.1, 4.46.2, 4.46.3, 4.47.0, 4.47.1

All unaffected versions

4.48.0, 4.48.1, 4.48.2, 4.48.3, 4.49.0, 4.50.0, 4.50.1, 4.50.2, 4.50.3, 4.51.0, 4.51.1, 4.51.2, 4.51.3, 4.52.0, 4.52.1, 4.52.2, 4.52.3, 4.52.4, 4.53.0, 4.53.1, 4.53.2, 4.53.3, 4.54.0

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3.

References:

Identifiers

GHSA-6rvg-6v2m-4j46

CVE-2024-12720

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00141

EPSS Percentile: 0.34888

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/huggingface/transformers

Date and time

Published

4 months ago

Updated

4 months ago

API

JSON