Search for packages
| purl | pkg:pypi/transformers@4.52.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3gc6-hf7m-qbfn
Aliases: CVE-2025-6638 GHSA-59p9-h35m-wg4g |
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers |
Affected by 1 other vulnerability. |
|
VCID-46y8-cawt-g7br
Aliases: CVE-2025-6921 GHSA-4w7r-h757-3r74 |
Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive. |
Affected by 1 other vulnerability. |
|
VCID-aqqd-thbn-byaf
Aliases: CVE-2026-1839 GHSA-69w3-r845-3855 |
transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file |
Affected by 0 other vulnerabilities. |
|
VCID-s9jb-vbrz-2qa5
Aliases: CVE-2025-6051 GHSA-rcv9-qm8p-9p6j |
transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers |
Affected by 1 other vulnerability. |
|
VCID-w57w-5mrk-cqbr
Aliases: CVE-2025-5197 GHSA-9356-575x-2w9m |
Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T07:48:27.316360+00:00 | GitLab Importer | Affected by | VCID-aqqd-thbn-byaf | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/transformers/CVE-2026-1839.yml | 38.6.0 |
| 2026-06-06T06:10:31.055682+00:00 | GitLab Importer | Affected by | VCID-46y8-cawt-g7br | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/transformers/CVE-2025-6921.yml | 38.6.0 |
| 2026-06-06T06:06:24.448492+00:00 | GitLab Importer | Affected by | VCID-s9jb-vbrz-2qa5 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/transformers/CVE-2025-6051.yml | 38.6.0 |
| 2026-06-06T06:06:23.171441+00:00 | GitLab Importer | Affected by | VCID-3gc6-hf7m-qbfn | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/transformers/CVE-2025-6638.yml | 38.6.0 |
| 2026-06-06T05:57:07.207056+00:00 | GitLab Importer | Affected by | VCID-w57w-5mrk-cqbr | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/transformers/CVE-2025-5197.yml | 38.6.0 |