CVE-2024-12720

Name of the Vulnerable Software and Affected Versions huggingface/transformers version v4.46.3

Description A Regular Expression Denial of Service (ReDoS) issue was identified in the huggingface/transformers library, specifically in the file tokenization nougat fast.py. The issue occurs in the post process single() function, where a regular expression processes specially crafted input, leading to excessive backtracking and significantly high CPU usage. This can result in potential application downtime, creating a Denial of Service (DoS) scenario.

Recommendations For version v4.46.3, consider disabling the post process single() function until a patch is available to prevent potential Denial of Service (DoS) scenarios. Restrict access to the tokenization nougat fast.py file to minimize the risk of exploitation. Avoid using the affected library until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.