CVE-2024-12720
Regular Expression Denial of Service (ReDoS) vulnerability in transformers (PyPI)
What is CVE-2024-12720 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the huggingface/transformers library's tokenization_nougat_fast.py. It allows attackers to trigger excessive CPU usage and application downtime by providing specially crafted input that causes exponential time complexity in a regular expression. Exploitation is relatively easy by supplying malicious input.
Affected Software
Technical Details
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the huggingface/transformers library, specifically within the post_process_single() function in the tokenization_nougat_fast.py file. The vulnerability arises from a regular expression exhibiting exponential time complexity when processing certain specially crafted input strings. This 'catastrophic backtracking' behavior occurs when the regex engine tries to match a pattern against an unfavorable input, leading to an excessive number of backtracking steps. This results in significantly high CPU utilization and prolonged processing times, effectively creating a denial of service scenario for applications using the affected v4.46.3 version of the library for tokenization.
What is the Impact of CVE-2024-12720?
Successful exploitation may allow attackers to consume excessive CPU resources, leading to a denial of service for the affected application.
What is the Exploitability of CVE-2024-12720?
Exploitation of this ReDoS vulnerability is of low complexity. It typically requires an attacker to send specially crafted input that will be processed by the vulnerable regular expression. There are no specific authentication or privilege requirements, as the vulnerability is triggered by input data parsing. The attack vector is typically remote, as it involves providing malicious input to an application that uses the susceptible library. Special conditions include the target application using the huggingface/transformers library version v4.46.3 or older and specifically invoking the post_process_single() function with attacker-controlled data. Risk factors include any application that exposes functionality dependent on this tokenization function to untrusted users or input sources, increasing the likelihood of a successful denial of service.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-12720?
Available Upgrade Options
- transformers
- <4.48.0 → Upgrade to 4.48.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-6rvg-6v2m-4j46
- https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf
- https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98
- https://nvd.nist.gov/vuln/detail/CVE-2024-12720
- https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf
- https://github.com/huggingface/transformers
- https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98
What are Similar Vulnerabilities to CVE-2024-12720?
Similar Vulnerabilities: CVE-2023-32731 , CVE-2023-28155 , CVE-2022-36359 , CVE-2022-25911 , CVE-2021-45914
