Openhands-Agent

**Name of the Vulnerable Software and Affected Versions** huggingface/transformers library version v4.48.1 **Description** A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization gpt neox japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. **Recommendations** As a temporary workaround, consider disabling the `SubWordJapaneseTokenizer` class until a patch is available. Restrict access to the `tokenization gpt neox japanese.py` file to minimize the risk of exploitation. Avoid using the `tokenization gpt neox japanese.py` file in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.