{"id":"PYSEC-2025-40","details":"A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.","aliases":["CVE-2025-2099","GHSA-qq3j-4f4f-9583"],"modified":"2025-05-21T19:57:02.841701Z","published":"2025-05-19T12:15:19Z","references":[{"type":"WEB","url":"https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4"},{"type":"FIX","url":"https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57"}],"affected":[{"package":{"name":"transformers","ecosystem":"PyPI","purl":"pkg:pypi/transformers"},"ranges":[{"type":"GIT","repo":"https://github.com/huggingface/transformers","events":[{"introduced":"0"},{"fixed":"8cb522b4190bd556ce51be04942720650b1a3e57"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.49.0"}]}],"versions":["0.1","2.0.0","2.1.0","2.1.1","2.10.0","2.11.0","2.2.0","2.2.1","2.2.2","2.3.0","2.4.0","2.4.1","2.5.0","2.5.1","2.6.0","2.7.0","2.8.0","2.9.0","2.9.1","3.0.0","3.0.1","3.0.2","3.1.0","3.2.0","3.3.0","3.3.1","3.4.0","3.5.0","3.5.1","4.0.0","4.0.0rc1","4.0.1","4.1.0","4.1.1","4.10.0","4.10.1","4.10.2","4.10.3","4.11.0","4.11.1","4.11.2","4.11.3","4.12.0","4.12.1","4.12.2","4.12.3","4.12.4","4.12.5","4.13.0","4.14.0","4.14.1","4.15.0","4.16.0","4.16.1","4.16.2","4.17.0","4.18.0","4.19.0","4.19.1","4.19.2","4.19.3","4.19.4","4.2.0","4.2.1","4.2.2","4.20.0","4.20.1","4.21.0","4.21.1","4.21.2","4.21.3","4.22.0","4.22.1","4.22.2","4.23.0","4.23.1","4.24.0","4.25.0","4.25.1","4.26.0","4.26.1","4.27.0","4.27.1","4.27.2","4.27.3","4.27.4","4.28.0","4.28.1","4.29.0","4.29.1","4.29.2","4.3.0","4.3.0rc1","4.3.1","4.3.2","4.3.3","4.30.0","4.30.1","4.30.2","4.31.0","4.32.0","4.32.1","4.33.0","4.33.1","4.33.2","4.33.3","4.34.0","4.34.1","4.35.0","4.35.1","4.35.2","4.36.0","4.36.1","4.36.2","4.37.0","4.37.1","4.37.2","4.38.0","4.38.1","4.38.2","4.39.0","4.39.1","4.39.2","4.39.3","4.4.0","4.4.1","4.4.2","4.40.0","4.40.1","4.40.2","4.41.0","4.41.1","4.41.2","4.42.0","4.42.1","4.42.2","4.42.3","4.42.4","4.43.0","4.43.1","4.43.2","4.43.3","4.43.4","4.44.0","4.44.1","4.44.2","4.45.0","4.45.1","4.45.2","4.46.0","4.46.1","4.46.2","4.46.3","4.47.0","4.47.1","4.48.0","4.48.1","4.48.2","4.48.3","4.5.0","4.5.1","4.6.0","4.6.1","4.7.0","4.8.0","4.8.1","4.8.2","4.9.0","4.9.1","4.9.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/transformers/PYSEC-2025-40.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}