CVE-2025-6921

Name of the Vulnerable Software and Affected Versions huggingface/transformers versions prior to 4.53.0

Description The software is susceptible to a Regular Expression Denial of Service (ReDoS) within the AdamWeightDecay optimizer. The issue stems from the do use weight decay method, which handles user-provided regular expressions found in the include in weight decay and exclude from weight decay lists. Specifically, malicious regular expressions can trigger catastrophic backtracking during the re.search call, resulting in high CPU usage and a denial of service. Attackers controlling these patterns can potentially disrupt machine learning tasks and cause services to become unresponsive.

Recommendations Update to version 4.53.0 or later.