CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
CVE-2025-5197 (GCVE-0-2025-5197)
Vulnerability from cvelistv5 – Published: 2025-08-06 11:53 – Updated: 2025-08-06 13:03- CWE-1333 - Inefficient Regular Expression Complexity
| Vendor | Product | Version | |
|---|---|---|---|
| huggingface | huggingface/transformers |
Affected:
unspecified , < 4.53.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5197",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T13:02:53.771161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T13:03:10.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "huggingface/transformers",
"vendor": "huggingface",
"versions": [
{
"lessThan": "4.53.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T11:53:37.232Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf"
},
{
"url": "https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b"
}
],
"source": {
"advisory": "3f8b3fd0-166b-46e7-b60f-60dd9d2678bf",
"discovery": "EXTERNAL"
},
"title": "Regular Expression Denial of Service (ReDoS) in huggingface/transformers"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-5197",
"datePublished": "2025-08-06T11:53:37.232Z",
"dateReserved": "2025-05-26T09:26:53.172Z",
"dateUpdated": "2025-08-06T13:03:10.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4727 (GCVE-0-2025-4727)
Vulnerability from cvelistv5 – Published: 2025-05-15 23:00 – Updated: 2025-05-16 13:21| URL | Tags |
|---|---|
| https://vuldb.com/?id.309029 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.309029 | signaturepermissions-required |
| https://vuldb.com/?submit.570441 | third-party-advisory |
| https://github.com/meteor/meteor/issues/13713 | issue-tracking |
| https://github.com/meteor/meteor/pull/13721 | issue-tracking |
| https://github.com/meteor/meteor/commit/f7ea6817b… | patch |
| https://github.com/meteor/meteor/releases/tag/rel… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4727",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-16T13:21:14.285120Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-16T13:21:17.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.570441"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Meteor",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.2.0"
},
{
"status": "affected",
"version": "3.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DayShift (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Meteor up to 3.2.1 and classified as problematic. This issue affects the function Object.assign of the file packages/ddp-server/livedata_server.js. The manipulation of the argument forwardedFor leads to inefficient regular expression complexity. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.2 is able to address this issue. The identifier of the patch is f7ea6817b90952baaea9baace2a3b4366fee6a63. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in Meteor bis 3.2.1 gefunden. Hierbei geht es um die Funktion Object.assign der Datei packages/ddp-server/livedata_server.js. Mittels Manipulieren des Arguments forwardedFor mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 3.2.2 vermag dieses Problem zu l\u00f6sen. Der Patch wird als f7ea6817b90952baaea9baace2a3b4366fee6a63 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T23:00:08.288Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-309029 | Meteor livedata_server.js Object.assign redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.309029"
},
{
"name": "VDB-309029 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.309029"
},
{
"name": "Submit #570441 | meteor https://www.meteor.com/ \u003c=3.2.1 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.570441"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/meteor/meteor/issues/13713"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/meteor/meteor/pull/13721"
},
{
"tags": [
"patch"
],
"url": "https://github.com/meteor/meteor/commit/f7ea6817b90952baaea9baace2a3b4366fee6a63"
},
{
"tags": [
"patch"
],
"url": "https://github.com/meteor/meteor/releases/tag/release/METEOR%403.2.2"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-15T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-15T09:18:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "Meteor livedata_server.js Object.assign redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4727",
"datePublished": "2025-05-15T23:00:08.288Z",
"dateReserved": "2025-05-15T07:12:45.376Z",
"dateUpdated": "2025-05-16T13:21:17.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4690 (GCVE-0-2025-4690)
Vulnerability from cvelistv5 – Published: 2025-08-19 13:19 – Updated: 2025-08-19 13:35 Unsupported When Assigned X_Open Source- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://www.herodevs.com/vulnerability-directory/… | third-party-advisory |
| https://codepen.io/herodevs/pen/RNNEPzP/751b91eab… | technical-descriptionexploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4690",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-19T13:26:50.740352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T13:35:50.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-4690"
},
{
"tags": [
"exploit"
],
"url": "https://codepen.io/herodevs/pen/RNNEPzP/751b91eab7730dff277523f3d50e4b77"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://registry.npmjs.org",
"defaultStatus": "unaffected",
"packageName": "angular-sanitize",
"product": "AngularJS",
"repo": "https://github.com/angular/angular.js",
"vendor": "Google",
"versions": [
{
"status": "affected",
"version": "\u003e=0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Kalpakas"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A regular expression used by AngularJS\u0027\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/api/ngSanitize/filter/linky\"\u003e\u003ccode\u003elinky\u003c/code\u003e\u003c/a\u003e\u0026nbsp;filter to detect URLs in input text is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can cause a \n\n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\"\u003eRegular expression Denial of Service (ReDoS)\u003c/a\u003e\u0026nbsp;attack on\u0026nbsp;the application.\u003cbr\u003e\u003cbr\u003eThis issue affects all versions of AngularJS.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eNote:\u003c/b\u003e\u003cbr\u003eThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.angularjs.org/misc/version-support-status\"\u003ehere\u003c/a\u003e."
}
],
"value": "A regular expression used by AngularJS\u0027\u00a0 linky https://docs.angularjs.org/api/ngSanitize/filter/linky \u00a0filter to detect URLs in input text is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can cause a \n\n Regular expression Denial of Service (ReDoS) https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS \u00a0attack on\u00a0the application.\n\nThis issue affects all versions of AngularJS.\n\nNote:\nThe AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status ."
}
],
"impacts": [
{
"capecId": "CAPEC-492",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-492 Regular Expression Exponential Blowup"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-19T13:19:27.919Z",
"orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"shortName": "HeroDevs"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.herodevs.com/vulnerability-directory/cve-2025-4690"
},
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://codepen.io/herodevs/pen/RNNEPzP/751b91eab7730dff277523f3d50e4b77"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned",
"x_open-source"
],
"title": "AngularJS \u0027linky\u0027 filter ReDoS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
"assignerShortName": "HeroDevs",
"cveId": "CVE-2025-4690",
"datePublished": "2025-08-19T13:19:27.919Z",
"dateReserved": "2025-05-14T15:39:08.634Z",
"dateUpdated": "2025-08-19T13:35:50.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4215 (GCVE-0-2025-4215)
Vulnerability from cvelistv5 – Published: 2025-05-02 20:31 – Updated: 2025-06-12 00:12| URL | Tags |
|---|---|
| https://vuldb.com/?id.307194 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.307194 | signaturepermissions-required |
| https://vuldb.com/?submit.562301 | third-party-advisory |
| https://github.com/gorhill/uBlock/commit/eaedaf5b… | patch |
| https://github.com/gorhill/uBlock/releases/tag/1.… | patch |
| https://lists.debian.org/debian-lts-announce/2025… |
| Vendor | Product | Version | |
|---|---|---|---|
| gorhill | uBlock Origin |
Affected:
1.63.3b16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4215",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T14:55:50.256204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T14:56:03.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-06-12T00:12:13.442Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"UI"
],
"product": "uBlock Origin",
"vendor": "gorhill",
"versions": [
{
"status": "affected",
"version": "1.63.3b16"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DayShift (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in gorhill uBlock Origin bis 1.63.3b16 ausgemacht. Betroffen hiervon ist die Funktion currentStateChanged der Datei src/js/1p-filters.js der Komponente UI. Durch Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.63.3b17 vermag dieses Problem zu l\u00f6sen. Der Patch wird als eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T20:31:05.334Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-307194 | gorhill uBlock Origin UI 1p-filters.js currentStateChanged redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.307194"
},
{
"name": "VDB-307194 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.307194"
},
{
"name": "Submit #562301 | uBlock @gorhill/ubo-core \u003e=npm_0.1.11 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.562301"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gorhill/uBlock/releases/tag/1.63.3b17"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-02T14:58:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "gorhill uBlock Origin UI 1p-filters.js currentStateChanged redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4215",
"datePublished": "2025-05-02T20:31:05.334Z",
"dateReserved": "2025-05-02T12:51:52.695Z",
"dateUpdated": "2025-06-12T00:12:13.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3986 (GCVE-0-2025-3986)
Vulnerability from cvelistv5 – Published: 2025-04-27 21:00 – Updated: 2025-04-28 17:38| URL | Tags |
|---|---|
| https://vuldb.com/?id.306322 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.306322 | signaturepermissions-required |
| https://vuldb.com/?submit.557473 | third-party-advisory |
| https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3986",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T17:34:50.472484Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T17:38:45.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "5.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caichaoxiong (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\\core\\cas-server-core-configuration-metadata-repository\\src\\main\\java\\org\\apereo\\cas\\metadata\\rest\\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Apereo CAS 5.2.6 wurde eine Schwachstelle ausgemacht. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei cas-5.2.6\\core\\cas-server-core-configuration-metadata-repository\\src\\main\\java\\org\\apereo\\cas\\metadata\\rest\\CasConfigurationMetadataServerController.java. Mittels dem Manipulieren des Arguments Name mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-27T21:00:07.694Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-306322 | Apereo CAS CasConfigurationMetadataServerController.java redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.306322"
},
{
"name": "VDB-306322 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.306322"
},
{
"name": "Submit #557473 | Apereo CAS v5.2.6 ReDos Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.557473"
},
{
"tags": [
"exploit"
],
"url": "https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-04-26T10:12:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS CasConfigurationMetadataServerController.java redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-3986",
"datePublished": "2025-04-27T21:00:07.694Z",
"dateReserved": "2025-04-26T08:07:08.619Z",
"dateUpdated": "2025-04-28T17:38:45.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3985 (GCVE-0-2025-3985)
Vulnerability from cvelistv5 – Published: 2025-04-27 20:31 – Updated: 2025-04-28 18:09| URL | Tags |
|---|---|
| https://vuldb.com/?id.306321 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.306321 | signaturepermissions-required |
| https://vuldb.com/?submit.557110 | third-party-advisory |
| https://wx.mail.qq.com/s?k=lzDuxVkSRXUZ0bwZEG | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3985",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T18:02:23.445535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T18:09:01.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CAS",
"vendor": "Apereo",
"versions": [
{
"status": "affected",
"version": "5.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caichaoxiong (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Apereo CAS 5.2.6 ausgemacht. Sie wurde als problematisch eingestuft. Hiervon betroffen ist die Funktion ResponseEntity der Datei cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\ManageRegisteredServicesMultiActionController.java. Durch Manipulation des Arguments Query mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-27T20:31:06.556Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-306321 | Apereo CAS ResponseEntity redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.306321"
},
{
"name": "VDB-306321 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.306321"
},
{
"name": "Submit #557110 | Apereo CAS v5.2.6 ReDos regular expression engine denial of service",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.557110"
},
{
"tags": [
"exploit"
],
"url": "https://wx.mail.qq.com/s?k=lzDuxVkSRXUZ0bwZEG"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-04-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-04-26T10:12:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "Apereo CAS ResponseEntity redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-3985",
"datePublished": "2025-04-27T20:31:06.556Z",
"dateReserved": "2025-04-26T08:07:05.931Z",
"dateUpdated": "2025-04-28T18:09:01.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3933 (GCVE-0-2025-3933)
Vulnerability from cvelistv5 – Published: 2025-07-11 09:22 – Updated: 2025-07-11 15:07- CWE-1333 - Inefficient Regular Expression Complexity
| Vendor | Product | Version | |
|---|---|---|---|
| huggingface | huggingface/transformers |
Affected:
unspecified , < 4.52.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3933",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T14:34:20.168976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T15:07:34.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "huggingface/transformers",
"vendor": "huggingface",
"versions": [
{
"lessThan": "4.52.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class\u0027s `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `\u003cs_(.*?)\u003e` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T09:22:27.103Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b"
},
{
"url": "https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93"
}
],
"source": {
"advisory": "25282953-5827-4384-bb6f-5790d275721b",
"discovery": "EXTERNAL"
},
"title": "Regular Expression Denial of Service (ReDoS) in huggingface/transformers"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-3933",
"datePublished": "2025-07-11T09:22:27.103Z",
"dateReserved": "2025-04-25T13:37:56.821Z",
"dateUpdated": "2025-07-11T15:07:34.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3264 (GCVE-0-2025-3264)
Vulnerability from cvelistv5 – Published: 2025-07-07 09:55 – Updated: 2025-07-07 14:40- CWE-1333 - Inefficient Regular Expression Complexity
| Vendor | Product | Version | |
|---|---|---|---|
| huggingface | huggingface/transformers |
Affected:
unspecified , < 4.51.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3264",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T14:37:34.878471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:40:12.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "huggingface/transformers",
"vendor": "huggingface",
"versions": [
{
"lessThan": "4.51.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\\s*try\\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T09:55:11.030Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df"
},
{
"url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"
}
],
"source": {
"advisory": "3c6f7822-9992-476d-8cf0-b0b1623427df",
"discovery": "EXTERNAL"
},
"title": "Regular Expression Denial of Service (ReDoS) in huggingface/transformers"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-3264",
"datePublished": "2025-07-07T09:55:11.030Z",
"dateReserved": "2025-04-04T12:41:38.443Z",
"dateUpdated": "2025-07-07T14:40:12.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3263 (GCVE-0-2025-3263)
Vulnerability from cvelistv5 – Published: 2025-07-07 09:54 – Updated: 2025-07-07 14:51- CWE-1333 - Inefficient Regular Expression Complexity
| Vendor | Product | Version | |
|---|---|---|---|
| huggingface | huggingface/transformers |
Affected:
unspecified , < 4.51.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3263",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T14:49:04.994384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T14:51:54.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "huggingface/transformers",
"vendor": "huggingface",
"versions": [
{
"lessThan": "4.51.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\\.(.*)\\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T09:54:59.670Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29"
},
{
"url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"
}
],
"source": {
"advisory": "c7a69150-54f8-4e81-8094-791e7a2a0f29",
"discovery": "EXTERNAL"
},
"title": "Regular Expression Denial of Service (ReDoS) in huggingface/transformers"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-3263",
"datePublished": "2025-07-07T09:54:59.670Z",
"dateReserved": "2025-04-04T12:40:57.226Z",
"dateUpdated": "2025-07-07T14:51:54.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3262 (GCVE-0-2025-3262)
Vulnerability from cvelistv5 – Published: 2025-07-07 09:54 – Updated: 2025-07-07 15:19- CWE-1333 - Inefficient Regular Expression Complexity
| Vendor | Product | Version | |
|---|---|---|---|
| huggingface | huggingface/transformers |
Affected:
unspecified , < 4.51.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3262",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T15:19:35.031775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T15:19:42.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://huntr.com/bounties/ecf5ccc4-39e7-4fb3-b547-14a41d31a184"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "huggingface/transformers",
"vendor": "huggingface",
"versions": [
{
"lessThan": "4.51.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing \u0027almost matching\u0027 payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T09:54:39.079Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/ecf5ccc4-39e7-4fb3-b547-14a41d31a184"
},
{
"url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"
}
],
"source": {
"advisory": "ecf5ccc4-39e7-4fb3-b547-14a41d31a184",
"discovery": "EXTERNAL"
},
"title": "Regular Expression Denial of Service (ReDoS) in huggingface/transformers"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-3262",
"datePublished": "2025-07-07T09:54:39.079Z",
"dateReserved": "2025-04-04T12:40:28.677Z",
"dateUpdated": "2025-07-07T15:19:42.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.