{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-30T09:19:57.926","vulnerabilities":[{"cve":{"id":"CVE-2025-5197","sourceIdentifier":"security@huntr.dev","published":"2025-08-06T12:15:26.837","lastModified":"2026-06-17T09:47:25.920","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats."},{"lang":"es","value":"Existe una vulnerabilidad de denegación de servicio de expresiones regulares (ReDoS) en la librería Hugging Face Transformers, específicamente en la función `convert_tf_weight_name_to_pt_weight_name()`. Esta función, responsable de convertir los nombres de peso de TensorFlow al formato de PyTorch, utiliza un patrón de expresiones regulares `/[^/]*___([^/]*)/` que puede explotarse para causar un consumo excesivo de CPU mediante cadenas de entrada manipuladas debido a un retroceso catastrófico. La vulnerabilidad afecta a las versiones hasta la 4.51.3 y se corrigió en la versión 4.53.0. Este problema puede provocar interrupciones del servicio, agotamiento de recursos y posibles vulnerabilidades del servicio API, lo que afecta los procesos de conversión de modelos entre los formatos de TensorFlow y PyTorch."}],"affected":[{"source":"security@huntr.dev","affectedData":[{"vendor":"huggingface","product":"huggingface/transformers","versions":[{"version":"unspecified","lessThan":"4.53.0","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-08-06T13:02:53.771161Z","id":"CVE-2025-5197","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@huntr.dev","type":"Secondary","description":[{"lang":"en","value":"CWE-1333"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:huggingface:transformers:*:*:*:*:*:*:*:*","versionEndExcluding":"4.53.0","matchCriteriaId":"028A5B9B-4F6A-41A1-8A94-8F904334B237"}]}]}],"references":[{"url":"https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b","source":"security@huntr.dev","tags":["Patch"]},{"url":"https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf","source":"security@huntr.dev","tags":["Exploit","Issue Tracking","Patch","Third Party Advisory"]},{"url":"https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Issue Tracking","Patch","Third Party Advisory"]}]}}]}