CVE-2025-2099

Description

A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

How to fix CVE-2025-2099

To remediate CVE-2025-2099, upgrade the affected package to a fixed version below.

• —upgrade to 4.50.0 or later
• —upgrade to 8cb522b4190bd556ce51be04942720650b1a3e57 or later

Is CVE-2025-2099 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4.50.0
• from 0, < 8cb522b4190bd556ce51be04942720650b1a3e57 | from 0, < 4.49.0

CVSS scores

References (7)

• ADVISORYgithub.com/advisories/GHSA-qq3j-4f4f-9583
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-2099
• PATCHgithub.com/huggingface/transformers
• WEBgithub.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57