CVE-2025-6638

Name of the Vulnerable Software and Affected Versions: Hugging Face Transformers versions prior to 4.53.0

Description: A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically affecting the remove language code() method within the MarianTokenizer. This issue arises from inefficient regular expression processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.

Recommendations: Update to version 4.53.0 or later.