A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
Advisories
Source ID Title
EUVD EUVD EUVD-2025-29032 Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
Github GHSA Github GHSA GHSA-59p9-h35m-wg4g Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 21 Oct 2025 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:huggingface:transformers:4.52.4:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Mon, 15 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Huggingface
Huggingface transformers
Vendors & Products Huggingface
Huggingface transformers

Sat, 13 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 12 Sep 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
Description A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
Title Regular Expression Denial of Service (ReDoS) in huggingface/transformers
Weaknesses CWE-1333
References
Metrics cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2025-09-12T11:52:53.854Z

Reserved: 2025-06-25T14:07:29.841Z

Link: CVE-2025-6638

cve-icon Vulnrichment

Updated: 2025-09-12T11:52:48.581Z

cve-icon NVD

Status : Analyzed

Published: 2025-09-12T11:15:31.770

Modified: 2025-10-21T13:33:08.580

Link: CVE-2025-6638

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-12T10:46:07Z

Links: CVE-2025-6638 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-09-15T10:43:45Z