GHSA-6rvg-6v2m-4j46

Source

https://github.com/advisories/GHSA-6rvg-6v2m-4j46

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-6rvg-6v2m-4j46/GHSA-6rvg-6v2m-4j46.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-6rvg-6v2m-4j46

Aliases

CVE-2024-12720

Related

CGA-f2g7-x7m9-rr5v

Published

2025-03-20T12:32:43Z

Modified

2025-03-21T17:54:45.445973Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenizationnougatfast.py. The vulnerability occurs in the postprocesssingle() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3.

Database specific

{
    "nvd_published_at": "2025-03-20T10:15:29Z",
    "cwe_ids": [
        "CWE-1333"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T17:43:02Z"
}

References

Affected packages

PyPI / transformers

Package

Name: transformers; View open source insights on deps.dev
Purl: pkg:pypi/transformers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.48.0

Affected versions

0.*

0.1

2.*

2.0.0

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

2.10.0

2.11.0

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.2.0

3.3.0

3.3.1

3.4.0

3.5.0

3.5.1

4.*

4.0.0rc1

4.0.0

4.0.1

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.3.0rc1

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.2

4.5.0

4.5.1

4.6.0

4.6.1

4.7.0

4.8.0

4.8.1

4.8.2

4.9.0

4.9.1

4.9.2

4.10.0

4.10.1

4.10.2

4.10.3

4.11.0

4.11.1

4.11.2

4.11.3

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.5

4.13.0

4.14.0

4.14.1

4.15.0

4.16.0

4.16.1

4.16.2

4.17.0

4.18.0

4.19.0

4.19.1

4.19.2

4.19.3

4.19.4

4.20.0

4.20.1

4.21.0

4.21.1

4.21.2

4.21.3

4.22.0

4.22.1

4.22.2

4.23.0

4.23.1

4.24.0

4.25.0

4.25.1

4.26.0

4.26.1

4.27.0

4.27.1

4.27.2

4.27.3

4.27.4

4.28.0

4.28.1

4.29.0

4.29.1

4.29.2

4.30.0

4.30.1

4.30.2

4.31.0

4.32.0

4.32.1

4.33.0

4.33.1

4.33.2

4.33.3

4.34.0

4.34.1

4.35.0

4.35.1

4.35.2

4.36.0

4.36.1

4.36.2

4.37.0

4.37.1

4.37.2

4.38.0

4.38.1

4.38.2

4.39.0

4.39.1

4.39.2

4.39.3

4.40.0

4.40.1

4.40.2

4.41.0

4.41.1

4.41.2

4.42.0

4.42.1

4.42.2

4.42.3

4.42.4

4.43.0

4.43.1

4.43.2

4.43.3

4.43.4

4.44.0

4.44.1

4.44.2

4.45.0

4.45.1

4.45.2

4.46.0

4.46.1

4.46.2

4.46.3

4.47.0

4.47.1