Home > Vulnerability Database > CVE-2025-3263

Mend.io Vulnerability Database

CVE-2025-3263

Good to know:

Date: July 7, 2025

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the "get_configuration_file()" function within the "transformers.configuration_utils" module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern "config\.(.*)\.json" that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Severity Score

5.3

Related Resources (6)

Url: https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29

Url: https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76

Url: https://github.com/huggingface/transformers

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-3263

Url: https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca

Url: https://www.mend.io/vulnerability-database/CVE-2025-3263

Severity Score

5.3

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version transformers - 4.51.0;transformers - 4.51.0;transformers - 4.51.0;https://github.com/huggingface/transformers.git - v4.51.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-3263

Good to know:

Date: July 7, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?