Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability

A Regular Expression Denial of Service ReDoS vulnerability exists in the Hugging Face Transformers library, specifically in the converttfweightnametoptweightname function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern /^/^// that can be...

CVE-2025-5197

The CVE-2025-5197 ReDoS vulnerability affects Hugging Face Transformers in the convert_tf_weight_name_to_pt_weight_name() function, where the regex /[^/]___([^/] )/ can cause excessive CPU usage via catastrophic backtracking. Affected versions: up to 4.51.3, with a fix in 4.53.0. Practical impact...