CVE-2025-2099
Regular Expression Denial of Service (ReDoS) vulnerability in transformers (PyPI)
What is CVE-2025-2099 About?
This vulnerability in huggingface/transformers' `preprocess_string()` function allows for a Regular Expression Denial of Service (ReDoS) attack. Nested quantifiers in a regex can cause exponential backtracking with specific inputs, leading to high CPU usage and potential application downtime. Exploitation is relatively easy by providing a specially crafted payload.
Affected Software
- transformers
- <4.50.0
- <8cb522b4190bd556ce51be04942720650b1a3e57
- <4.49.0
Technical Details
The vulnerability resides in the preprocess_string() function within the transformers.testing_utils module of huggingface/transformers version v4.48.3. This function uses a regular expression to process code blocks in docstrings. The regex contains nested quantifiers, which, when encountered with a specially crafted input string (specifically, one with a large number of newline characters), can lead to exponential backtracking by the regex engine. This causes a significant increase in processing time and CPU utilization, effectively stalling the application and preventing it from responding to further requests. An attacker can exploit this by providing a payload designed to trigger this exponential backtracking behavior, resulting in a Denial of Service (DoS) condition.
What is the Impact of CVE-2025-2099?
Successful exploitation may allow attackers to cause a denial of service, leading to high CPU utilization, unresponsiveness, and potential application downtime.
What is the Exploitability of CVE-2025-2099?
Exploiting this ReDoS vulnerability involves crafting a specific input string that triggers the exponential backtracking in the regex. The complexity is low to medium, requiring knowledge of the vulnerable regular expression and its behavior with specific character sequences. No authentication or special privileges are required; any attacker capable of supplying input to the preprocess_string() function can attempt exploitation. This is typically a remote attack, where the attacker sends malicious data through an application interface. The primary risk factor is applications that process untrusted or user-supplied strings using the vulnerable preprocess_string() function without adequate input validation or resource limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-2099?
Available Upgrade Options
- transformers
- <4.50.0 → Upgrade to 4.50.0
- transformers
- <4.49.0 → Upgrade to 4.49.0
- transformers
- <8cb522b4190bd556ce51be04942720650b1a3e57 → Upgrade to 8cb522b4190bd556ce51be04942720650b1a3e57
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2025-40
- https://github.com/huggingface/transformers/pull/36648
- https://nvd.nist.gov/vuln/detail/CVE-2025-2099
- https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4
- https://osv.dev/vulnerability/GHSA-qq3j-4f4f-9583
- https://github.com/huggingface/transformers
- https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
- https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
- https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4
- https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
What are Similar Vulnerabilities to CVE-2025-2099?
Similar Vulnerabilities: CVE-2024-9506 , CVE-2023-37270 , CVE-2023-36665 , CVE-2022-25916 , CVE-2021-39141
