CVE-2025-3264

Name of the Vulnerable Software and Affected Versions: Hugging Face Transformers versions 4.49.0 through 4.50.0

Description: A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically within the get imports() function of dynamic module utils.py. The issue stems from a regular expression pattern s*trys*:.*?except.*?: used to filter try/except blocks from Python code. This pattern is susceptible to catastrophic backtracking, allowing crafted input strings to cause excessive CPU consumption. This can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

Recommendations: Update to version 4.51.0 or later to resolve this issue.