CVE-2025-3933

Name of the Vulnerable Software and Affected Versions: Hugging Face Transformers versions 4.50.3 and earlier Hugging Face Transformers version 4.52.1

Description: A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically within the token2json() method of the DonutProcessor class. The issue stems from the regex pattern <s (.*?)> which can be exploited with crafted input strings, leading to catastrophic backtracking and excessive CPU consumption. This can result in service disruption and resource exhaustion, potentially impacting document processing tasks using the Donut model.

Recommendations: Hugging Face Transformers versions prior to 4.52.1 should be updated to version 4.52.1 or later.