GHSA-JJPH-296X-MRCR Transformers vulnerable to ReDoS attack through its get_imports() function

A Regular Expression Denial of Service ReDoS vulnerability was discovered in the Hugging Face Transformers library, specifically in the getimports function within dynamicmoduleutils.py. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular...

ace-step (=0.1.0), agent-memory-jojo (=0.1.3) +164 more potentially affected by CVE-2025-3262 via transformers (>=4.49.0 <=4.50.3)

transformers PYPI version =4.49.0, =3.2.0, =2.2.0, =0.0.5, =2026.3.1, =0.1.0, =1.2.1b20250404, =1.2.1b20250404, =1.2.1b20250404, =0.1.2, =0.1.8 - azureml-metrics =0.0.25.post1 and more Source cves: CVE-2025-3262 Source advisory: OSV:GHSA-489J-G2VX-39WF...

CVE-2025-3262 Regular Expression Denial of Service (ReDoS) in huggingface/transformers

A Regular Expression Denial of Service ReDoS vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the SETTINGRE variable within the transformers/commands/chat.py file. The...

CVE-2025-3262

CVE-2025-3262 — Hugging Face Transformers ReDoS : In version 4.49.0 of the transformers repository, the regex in SETTING_RE within transformers/commands/chat.py enables exponential backtracking under crafted inputs, causing denial-of-service (DoS) risk. The issue is fixed in version 4.51.0. Remed...

PT-2025-28150 · Hugging Face · Transformers

Name of the Vulnerable Software and Affected Versions: huggingface/transformers version 4.49.0 Description: A Regular Expression Denial of Service ReDoS vulnerability was discovered in the huggingface/transformers repository. The vulnerability is due to inefficient regular expression complexity i...