CVE-2025-6051

MEDIUM

Hugging Face Transformers <4.52.4 - DoS

Title source: llm

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.

References (2)

[Patch] https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d

Scores

CVSS v3 5.3

EPSS 0.0003

EPSS Percentile 10.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

huggingface/transformers 4.52.4

pypi/transformers 0 - 4.53.0PyPI

Published Sep 14, 2025

Tracked Since Feb 18, 2026