CVE-2025-2099

A vulnerability in the preprocess_string() function of the transformers.testing_utils module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

Published: May 19, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-2099
GHSA: GHSA-qq3j-4f4f-9583
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWEs:

CWE-1333

Affected Software
References

Software	From	Fixed in
transformers	-	4.50.0
huggingface / transformers	-	4.48.3.x

https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
https://github.com/huggingface/transformers/pull/36648
https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml
https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4

Vulnerability Database

CVE-2025-2099