Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-fpwr-67px-3qhx: Transformers Regular Expression Denial of Service (ReDoS) vulnerability

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

ghsa
Open in Source
#vulnerability#web#dos#git

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • GitHub Advanced Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

    • Codespaces

      Instant dev environments

    • Issues

      Plan and track work

    • Code Review

      Manage code changes

    • Discussions

      Collaborate outside of code

    • Code Search

      Find more, search less

  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-1194

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

Moderate severity GitHub Reviewed Published Apr 29, 2025 to the GitHub Advisory Database • Updated Apr 29, 2025

Package

pip transformers (pip)

Affected versions

< 4.50.0

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-1194
  • huggingface/transformers@92c5ca9
  • https://huntr.com/bounties/86f58dcd-683f-4adc-a735-849f51e9abb2

Published to the GitHub Advisory Database

Apr 29, 2025

Last updated

Apr 29, 2025

EPSS score

ghsa: Latest News

GHSA-8qff-qr5q-5pr8: OpenPGP.js's message signature verification can be spoofed
ghsa