Transformers vulnerable to ReDoS attack through its SETTING_RE variable

🗓️ 07 Jul 2025 12:30:22Reported by GitHub Advisory DatabaseType

Transformers have a ReDoS vulnerability in version 4.49.0 due to inefficient regular expressions.

Reporter	Title	Published	Views	Family All 19
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM watsonx Code Assistant On Prem	12 Nov 202507:25	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service and improper input validation [CVE-2025-3262] [CVE-2025-3263] [CVE-2025-3264] [CVE-2025-3777]	9 Jul 202517:38	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Security vulnerabilities affecting IBM Knowledge Catalog Standard Cartridge	25 Mar 202619:31	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Denial of Service in huggingface/transformers [CVE-2025-3262, CVE-2025-3264, CVE-2025-3933, CVE-2025-3263]	31 Oct 202518:45	–	ibm
Circl	CVE-2025-3262	7 Jul 202511:22	–	circl
CNNVD	Hugging Face Transformers 安全漏洞	7 Jul 202500:00	–	cnnvd
CVE	CVE-2025-3262	7 Jul 202509:54	–	cve
Cvelist	CVE-2025-3262 Regular Expression Denial of Service (ReDoS) in huggingface/transformers	7 Jul 202509:54	–	cvelist
Huntr	Regular expression Denial of Service - ReDoS	7 Mar 202519:49	–	huntr
EUVD	EUVD-2025-20217	3 Oct 202520:07	–	euvd

Vulners

Node

huggingface transformersRange4.49.0–4.51.0pip

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-3262
github	www.github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76
huntr	www.huntr.com/bounties/ecf5ccc4-39e7-4fb3-b547-14a41d31a184
github	www.github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca
github	www.github.com/advisories/GHSA-489j-g2vx-39wf

04 Aug 2025 15:29Current

4.9Medium risk

Vulners AI Score4.9

CVSS 3.17.5

CVSS 35.3

EPSS0.0043

SSVC