CVE-2025-2099

{"id": "CVE-2025-2099", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-05-19T12:15:19.640", "references": [{"url": "https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario."}, {"lang": "es", "value": "Una vulnerabilidad en la funci\u00f3n `preprocess_string()` del m\u00f3dulo `transformers.testing_utils` en huggingface/transformers versi\u00f3n v4.48.3 permite un ataque de denegaci\u00f3n de servicio (ReDoS) mediante expresiones regulares. La expresi\u00f3n regular utilizada para procesar bloques de c\u00f3digo en cadenas de documentaci\u00f3n contiene cuantificadores anidados, lo que provoca un retroceso exponencial al procesar entradas con un gran n\u00famero de caracteres de nueva l\u00ednea. Un atacante puede explotar esto proporcionando un payload especialmente manipulado, lo que provoca un alto consumo de CPU y un posible tiempo de inactividad de la aplicaci\u00f3n, lo que resulta en un escenario de denegaci\u00f3n de servicio (DoS)."}], "lastModified": "2025-05-21T17:43:15.080", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C6BB08B-59CD-4524-AC16-55130113AE69", "versionEndIncluding": "4.48.3"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}