CVE-2025-3933
Regular Expression Denial of Service (ReDoS) vulnerability in transformers (PyPI)
What is CVE-2025-3933 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the Hugging Face Transformers library's `DonutProcessor` class, affecting versions 4.51.3 and earlier. It allows attackers to trigger excessive CPU consumption through crafted input strings due to catastrophic backtracking in a regex pattern. This can lead to service disruption and resource exhaustion for affected applications.
Affected Software
Technical Details
A Regular Expression Denial of Service (ReDoS) vulnerability exists within the token2json() method of the DonutProcessor class in the Hugging Face Transformers library. The root cause is a vulnerable regex pattern, specifically <s_(.*?)>, which is susceptible to catastrophic backtracking. When supplied with a specially crafted input string containing a repeating sequence of characters that cause the regex engine to explore an exponentially increasing number of paths, it results in excessive CPU utilization. This resource exhaustion leads to a denial of service, preventing the application from processing further requests.
What is the Impact of CVE-2025-3933?
Successful exploitation may allow attackers to cause service disruption, resource exhaustion, and potential API service unavailability, severely impacting document processing tasks.
What is the Exploitability of CVE-2025-3933?
Exploiting this ReDoS vulnerability typically involves sending a malicious input string that triggers the catastrophic backtracking in the regex. The complexity is low, as it primarily requires knowledge of the vulnerable regex and how to craft an effective payload. No authentication or specific privileges are required if the affected method processes user-controlled input. The attack can be remote if the application exposes an API that feeds untrusted input to the vulnerable method. Special conditions include the application's reliance on the affected DonutProcessor and the ability of an attacker to submit crafted strings.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-3933?
Available Upgrade Options
- transformers
- <4.52.1 → Upgrade to 4.52.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
- https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
- https://nvd.nist.gov/vuln/detail/CVE-2025-3933
- https://github.com/huggingface/transformers
- https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
- https://osv.dev/vulnerability/GHSA-37mw-44qp-f5jm
- https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
- https://github.com/huggingface/transformers/pull/37788
What are Similar Vulnerabilities to CVE-2025-3933?
Similar Vulnerabilities: CVE-2023-38546 , CVE-2023-45133 , CVE-2023-28155 , CVE-2021-23393 , CVE-2020-8172
