Transformers Regular Expression Denial of Service (ReDoS) vulnerability

A Regular Expression Denial of Service ReDoS vulnerability was identified in the huggingface/transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issu...

GHSA-6RVG-6V2M-4J46 Transformers Regular Expression Denial of Service (ReDoS) vulnerability

A Regular Expression Denial of Service ReDoS vulnerability was identified in the huggingface/transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issu...

CVE-2024-12720

A Regular Expression Denial of Service ReDoS vulnerability was identified in the huggingface/transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issu...

CVE-2024-12720

A Regular Expression Denial of Service ReDoS vulnerability was identified in the huggingface/transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issu...

CVE-2024-12720 Regular Expression Denial of Service (ReDoS) in huggingface/transformers

A Regular Expression Denial of Service ReDoS vulnerability was identified in the huggingface/transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issu...

CVE-2024-12720

CVE-2024-12720 affects Hugging Face Transformers, in particular the file tokenization_nougat_fast.py within the post_process_single() function. The issue is a RegEx that can exhibit exponential backtracking, leading to high CPU usage and potential DoS under crafted input. Affected version cited: ...

CVE-2024-12720 Regular Expression Denial of Service (ReDoS) in huggingface/transformers

A Regular Expression Denial of Service ReDoS vulnerability was identified in the huggingface/transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle function, where a regular expression processes specially crafted input. The issu...

PT-2025-12141 · Hugging Face · Huggingface/Transformers

Name of the Vulnerable Software and Affected Versions: huggingface/transformers version v4.46.3 Description: A Regular Expression Denial of Service ReDoS issue was identified in the huggingface/transformers library, specifically in the file tokenization nougat fast.py. The issue occurs in the pos...

GHSA-RH4J-5RHW-HR54 vllm: Malicious model to RCE by torch.load in hf_model_weights_iterator

Description The vllm/modelexecutor/weightutils.py implements hfmodelweightsiterator to load the model checkpoint, which is downloaded from huggingface. It use torch.load function and weightsonly parameter is default value False. There is a security warning on...

Remote Code Execution via Unsafe Torch Load in TransfoXLCorpus

Description This is a new bypass to the patch of my previous report, in which the maintainers only apply the "TRUSTREMOTECODE" to guard the vulnerable code of vocabdict = pickle.loadf, but overlooked another vulnerable code of corpusdict = torch.loadresolvedcorpusfile without setting...

MAL-2024-10727 Malicious code in huggingface-hubs (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1d238b4266e7eb2a0fbda69d410f875e0625c30fcf79647d89c6e3358cbdcb55 A campaign of probably pentest packages flooding PYPI. Installing the package or importing the module triggers reporting basic info like hostname, path and the...

Malicious code in huggingface-hubs (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1d238b4266e7eb2a0fbda69d410f875e0625c30fcf79647d89c6e3358cbdcb55 A campaign of probably pentest packages flooding PYPI. Installing the package or importing the module triggers reporting basic info like hostname, path and the...

Malicious code in huggingface-vscode (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 05d5f0f4f0cc4f4b8a99f6a6b4c1ca2e0aa13ab6cd2d0d7fd3e7a23a2d9593cb The OpenSSF Package Analysis project identified 'huggingface-vscode' @ 100.2.2 npm as malicious. It is considered malicious because: - The packa...

MAL-2024-9282 Malicious code in huggingface-vscode (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 05d5f0f4f0cc4f4b8a99f6a6b4c1ca2e0aa13ab6cd2d0d7fd3e7a23a2d9593cb The OpenSSF Package Analysis project identified 'huggingface-vscode' @ 100.2.2 npm as malicious. It is considered malicious because: - The packa...

CVE-2024-4254

The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable to secrets exfiltration due to improper authorization. The vulnerability arises from the workflow's explicit checkout and execution of code from a fork, which is unsafe as it...

code injection vulnerability exists in the huggingface/text-generation-inference repository

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

GHSA-QQ99-P57R-G3V7 code injection vulnerability exists in the huggingface/text-generation-inference repository

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

CVE-2024-3924

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

CVE-2024-3924

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...

CVE-2024-3924 Code Injection in huggingface/text-generation-inference

A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the autodocs.yml workflow file. The vulnerability arises from the insecure handling of the github.headref user input, which is used to dynamically construct a command for installing ...