CVE-2025-1194

Name of the Vulnerable Software and Affected Versions huggingface/transformers library version v4.48.1

Description A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization gpt neox japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario.

Recommendations As a temporary workaround, consider disabling the SubWordJapaneseTokenizer class until a patch is available. Restrict access to the tokenization gpt neox japanese.py file to minimize the risk of exploitation. Avoid using the tokenization gpt neox japanese.py file in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.