CVE-2024-12720 MEDIUM

CVE-2024-12720: Regular Expression Denial of Service (ReDoS) in huggingface/transformers

Vendor Huggingface
Product huggingface/transformers
Weakness CWE-1333
Published March 20, 2025
Last update March 20, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3 (latest).

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated