{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T01:50:33.486","vulnerabilities":[{"cve":{"id":"CVE-2025-2099","sourceIdentifier":"security@huntr.dev","published":"2025-05-19T12:15:19.640","lastModified":"2025-05-21T17:43:15.080","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario."},{"lang":"es","value":"Una vulnerabilidad en la función `preprocess_string()` del módulo `transformers.testing_utils` en huggingface/transformers versión v4.48.3 permite un ataque de denegación de servicio (ReDoS) mediante expresiones regulares. La expresión regular utilizada para procesar bloques de código en cadenas de documentación contiene cuantificadores anidados, lo que provoca un retroceso exponencial al procesar entradas con un gran número de caracteres de nueva línea. Un atacante puede explotar esto proporcionando un payload especialmente manipulado, lo que provoca un alto consumo de CPU y un posible tiempo de inactividad de la aplicación, lo que resulta en un escenario de denegación de servicio (DoS)."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security@huntr.dev","type":"Secondary","description":[{"lang":"en","value":"CWE-1333"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*","versionEndIncluding":"4.48.3","matchCriteriaId":"8C6BB08B-59CD-4524-AC16-55130113AE69"}]}]}],"references":[{"url":"https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57","source":"security@huntr.dev","tags":["Patch"]},{"url":"https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4","source":"security@huntr.dev","tags":["Exploit","Third Party Advisory"]}]}}]}