GHSA-fpwr-67px-3qhx

Source

https://github.com/advisories/GHSA-fpwr-67px-3qhx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-fpwr-67px-3qhx/GHSA-fpwr-67px-3qhx.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-fpwr-67px-3qhx

Aliases

CVE-2025-1194

Related

CGA-9j59-vrr3-9r8v

Published

2025-04-29T12:30:21Z

Modified

2025-04-29T15:59:27.777766Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Transformers Regular Expression Denial of Service (ReDoS) vulnerability

Details

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

Database specific

{
    "nvd_published_at": "2025-04-29T12:15:31Z",
    "cwe_ids": [
        "CWE-1333"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-29T15:17:03Z"
}

References

Affected packages

PyPI / transformers

Package

Name: transformers; View open source insights on deps.dev
Purl: pkg:pypi/transformers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.50.0

Affected versions

0.*

0.1

2.*

2.0.0

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.6.0

2.7.0

2.8.0

2.9.0

2.9.1

2.10.0

2.11.0

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.2.0

3.3.0

3.3.1

3.4.0

3.5.0

3.5.1

4.*

4.0.0rc1

4.0.0

4.0.1

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.3.0rc1

4.3.0

4.3.1

4.3.2

4.3.3

4.4.0

4.4.1

4.4.2

4.5.0

4.5.1

4.6.0

4.6.1

4.7.0

4.8.0

4.8.1

4.8.2

4.9.0

4.9.1

4.9.2

4.10.0

4.10.1

4.10.2

4.10.3

4.11.0

4.11.1

4.11.2

4.11.3

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.5

4.13.0

4.14.0

4.14.1

4.15.0

4.16.0

4.16.1

4.16.2

4.17.0

4.18.0

4.19.0

4.19.1

4.19.2

4.19.3

4.19.4

4.20.0

4.20.1

4.21.0

4.21.1

4.21.2

4.21.3

4.22.0

4.22.1

4.22.2

4.23.0

4.23.1

4.24.0

4.25.0

4.25.1

4.26.0

4.26.1

4.27.0

4.27.1

4.27.2

4.27.3

4.27.4

4.28.0

4.28.1

4.29.0

4.29.1

4.29.2

4.30.0

4.30.1

4.30.2

4.31.0

4.32.0

4.32.1

4.33.0

4.33.1

4.33.2

4.33.3

4.34.0

4.34.1

4.35.0

4.35.1

4.35.2

4.36.0

4.36.1

4.36.2

4.37.0

4.37.1

4.37.2

4.38.0

4.38.1

4.38.2

4.39.0

4.39.1

4.39.2

4.39.3

4.40.0

4.40.1

4.40.2

4.41.0

4.41.1

4.41.2

4.42.0

4.42.1

4.42.2

4.42.3

4.42.4

4.43.0

4.43.1

4.43.2

4.43.3

4.43.4

4.44.0

4.44.1

4.44.2

4.45.0

4.45.1

4.45.2

4.46.0

4.46.1

4.46.2

4.46.3

4.47.0

4.47.1

4.48.0

4.48.1

4.48.2

4.48.3

4.49.0