CVE-2025-2099

Name of the Vulnerable Software and Affected Versions huggingface/transformers version v4.48.3

Description A vulnerability in the preprocess string() function of the transformers.testing utils module allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

Recommendations As a temporary workaround, consider disabling the preprocess string() function until a patch is available. Restrict access to the transformers.testing utils module to minimize the risk of exploitation. Avoid using the preprocess string() function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.