CVE-2025-3933

MEDIUM

Hugging Face Transformers <4.50.3 - DoS

Title source: llm

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.

References (2)

[Patch] https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b

Scores

CVSS v3 5.3

EPSS 0.0003

EPSS Percentile 8.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

huggingface/transformers < 4.52.1

pypi/transformers 0 - 4.52.1PyPI

Published Jul 11, 2025

Tracked Since Feb 18, 2026