Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1mcHdyLTY3cHgtM3FoeM4ABHQB

Moderate EPSS: 0.00049% (0.14977 Percentile) EPSS:
Permalink JSON

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

Affected Packages Affected Versions Fixed Versions
pypi:transformers < 4.50.0 4.50.0
2,589 Dependent packages
31,800 Dependent repositories
71,422,624 Downloads last month

Affected Version Ranges

All affected versions

2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.7.0, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 3.5.0, 3.5.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.4.0, 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.6.0, 4.6.1, 4.7.0, 4.8.0, 4.8.1, 4.8.2, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.12.4, 4.12.5, 4.13.0, 4.14.0, 4.14.1, 4.15.0, 4.16.0, 4.16.1, 4.16.2, 4.17.0, 4.18.0, 4.19.0, 4.19.1, 4.19.2, 4.19.3, 4.19.4, 4.20.0, 4.20.1, 4.21.0, 4.21.1, 4.21.2, 4.21.3, 4.22.0, 4.22.1, 4.22.2, 4.23.0, 4.23.1, 4.24.0, 4.25.0, 4.25.1, 4.26.0, 4.26.1, 4.27.0, 4.27.1, 4.27.2, 4.27.3, 4.27.4, 4.28.0, 4.28.1, 4.29.0, 4.29.1, 4.29.2, 4.30.0, 4.30.1, 4.30.2, 4.31.0, 4.32.0, 4.32.1, 4.33.0, 4.33.1, 4.33.2, 4.33.3, 4.34.0, 4.34.1, 4.35.0, 4.35.1, 4.35.2, 4.36.0, 4.36.1, 4.36.2, 4.37.0, 4.37.1, 4.37.2, 4.38.0, 4.38.1, 4.38.2, 4.39.0, 4.39.1, 4.39.2, 4.39.3, 4.40.0, 4.40.1, 4.40.2, 4.41.0, 4.41.1, 4.41.2, 4.42.0, 4.42.1, 4.42.2, 4.42.3, 4.42.4, 4.43.0, 4.43.1, 4.43.2, 4.43.3, 4.43.4, 4.44.0, 4.44.1, 4.44.2, 4.45.0, 4.45.1, 4.45.2, 4.46.0, 4.46.1, 4.46.2, 4.46.3, 4.47.0, 4.47.1, 4.48.0, 4.48.1, 4.48.2, 4.48.3, 4.49.0

All unaffected versions

4.50.0, 4.50.1, 4.50.2, 4.50.3, 4.51.0, 4.51.1, 4.51.2, 4.51.3, 4.52.0, 4.52.1, 4.52.2, 4.52.3, 4.52.4, 4.53.0, 4.53.1, 4.53.2, 4.53.3, 4.54.0

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

References:

Identifiers

GHSA-fpwr-67px-3qhx

CVE-2025-1194

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00049

EPSS Percentile: 0.14977

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/huggingface/transformers

Date and time

Published

3 months ago

Updated

3 months ago

API

JSON