CVE-2025-6051
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the normalize_numbers() method of the EnglishNormalizer class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| huggingface | huggingface/transformers | unspecified < 4.53.0 | affected |
Weaknesses
- CWE-1333: CWE-1333 Inefficient Regular Expression Complexity
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d
- https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.