{"url":"http://public2.vulnerablecode.io/api/packages/832101?format=json","purl":"pkg:pypi/transformers@4.50.1","type":"pypi","namespace":"","name":"transformers","version":"4.50.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.0.0rc3","latest_non_vulnerable_version":"5.0.0rc3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75929?format=json","vulnerability_id":"VCID-3gc6-hf7m-qbfn","summary":"transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6638.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6638.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6638","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11789","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11829","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11823","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6638"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T11:52:42Z/"}],"url":"https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"},{"reference_url":"https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099"},{"reference_url":"https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T11:52:42Z/"}],"url":"https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6638","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6638"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394799","reference_id":"2394799","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2394799"},{"reference_url":"https://github.com/advisories/GHSA-59p9-h35m-wg4g","reference_id":"GHSA-59p9-h35m-wg4g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-59p9-h35m-wg4g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70589?format=json","purl":"pkg:pypi/transformers@4.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aqqd-thbn-byaf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0"}],"aliases":["CVE-2025-6638","GHSA-59p9-h35m-wg4g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3gc6-hf7m-qbfn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47836?format=json","vulnerability_id":"VCID-46y8-cawt-g7br","summary":"Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer\nThe huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6921.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6921.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6921","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11073","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11116","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11108","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6921"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-23T14:56:14Z/"}],"url":"https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"},{"reference_url":"https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099"},{"reference_url":"https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-23T14:56:14Z/"}],"url":"https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2397617","reference_id":"2397617","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2397617"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6921","reference_id":"CVE-2025-6921","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6921"},{"reference_url":"https://github.com/advisories/GHSA-4w7r-h757-3r74","reference_id":"GHSA-4w7r-h757-3r74","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4w7r-h757-3r74"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70589?format=json","purl":"pkg:pypi/transformers@4.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aqqd-thbn-byaf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0"}],"aliases":["CVE-2025-6921","GHSA-4w7r-h757-3r74"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-46y8-cawt-g7br"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57577?format=json","vulnerability_id":"VCID-4p99-5cwj-8fbn","summary":"Transformers's Improper Input Validation vulnerability can be exploited through username injection\nHugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3777.json","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3777.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3777","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17607","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17646","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.1764","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3777"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/blame/a7d2bbaaa8aac64f7c1ee8c1421cfe84b38359a4/src/transformers/image_utils.py","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/blame/a7d2bbaaa8aac64f7c1ee8c1421cfe84b38359a4/src/transformers/image_utils.py"},{"reference_url":"https://github.com/huggingface/transformers/commit/4dda5f71b35fb70cf602187eef84bb17a50b9082","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T12:24:47Z/"}],"url":"https://github.com/huggingface/transformers/commit/4dda5f71b35fb70cf602187eef84bb17a50b9082"},{"reference_url":"https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6364f09","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T12:24:47Z/"}],"url":"https://huntr.com/bounties/ccba0730-9248-4853-b7ff-5c20e6364f09"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376775","reference_id":"2376775","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376775"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3777","reference_id":"CVE-2025-3777","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3777"},{"reference_url":"https://github.com/advisories/GHSA-phhr-52qp-3mj4","reference_id":"GHSA-phhr-52qp-3mj4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-phhr-52qp-3mj4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85634?format=json","purl":"pkg:pypi/transformers@4.52.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3gc6-hf7m-qbfn"},{"vulnerability":"VCID-46y8-cawt-g7br"},{"vulnerability":"VCID-aqqd-thbn-byaf"},{"vulnerability":"VCID-s9jb-vbrz-2qa5"},{"vulnerability":"VCID-w57w-5mrk-cqbr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.52.1"}],"aliases":["CVE-2025-3777","GHSA-phhr-52qp-3mj4"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4p99-5cwj-8fbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57586?format=json","vulnerability_id":"VCID-6p4h-2f1g-9qh2","summary":"Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking\nA Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\\.(.*)\\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3263.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3263.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3263","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26543","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26595","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26585","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3263"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:49:04Z/"}],"url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"},{"reference_url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca"},{"reference_url":"https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:49:04Z/"}],"url":"https://huntr.com/bounties/c7a69150-54f8-4e81-8094-791e7a2a0f29"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376773","reference_id":"2376773","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376773"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3263","reference_id":"CVE-2025-3263","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3263"},{"reference_url":"https://github.com/advisories/GHSA-q2wp-rjmx-x6x9","reference_id":"GHSA-q2wp-rjmx-x6x9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q2wp-rjmx-x6x9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85639?format=json","purl":"pkg:pypi/transformers@4.51.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3gc6-hf7m-qbfn"},{"vulnerability":"VCID-46y8-cawt-g7br"},{"vulnerability":"VCID-4p99-5cwj-8fbn"},{"vulnerability":"VCID-aqqd-thbn-byaf"},{"vulnerability":"VCID-pn57-nb2x-n7gw"},{"vulnerability":"VCID-s9jb-vbrz-2qa5"},{"vulnerability":"VCID-w57w-5mrk-cqbr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.51.0"}],"aliases":["CVE-2025-3263","GHSA-q2wp-rjmx-x6x9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6p4h-2f1g-9qh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/63452?format=json","vulnerability_id":"VCID-aqqd-thbn-byaf","summary":"transformers: HuggingFace Transformers: Arbitrary code execution via malicious checkpoint file","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1839.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1839.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1839","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06738","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06746","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06749","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1839"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T13:27:38Z/"}],"url":"https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396"},{"reference_url":"https://github.com/huggingface/transformers/releases/tag/v5.0.0rc3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/releases/tag/v5.0.0rc3"},{"reference_url":"https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T13:27:38Z/"}],"url":"https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1839","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1839"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455854","reference_id":"2455854","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455854"},{"reference_url":"https://github.com/advisories/GHSA-69w3-r845-3855","reference_id":"GHSA-69w3-r845-3855","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-69w3-r845-3855"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111532?format=json","purl":"pkg:pypi/transformers@5.0.0rc3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@5.0.0rc3"}],"aliases":["CVE-2026-1839","GHSA-69w3-r845-3855"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aqqd-thbn-byaf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57589?format=json","vulnerability_id":"VCID-msje-w8r1-wkh8","summary":"Transformers vulnerable to ReDoS attack through its SETTING_RE variable\nA Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3262.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3262.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3262","reference_id":"","reference_type":"","scores":[{"value":"0.00318","scoring_system":"epss","scoring_elements":"0.55237","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00318","scoring_system":"epss","scoring_elements":"0.55239","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00318","scoring_system":"epss","scoring_elements":"0.55247","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3262"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T15:19:35Z/"}],"url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"},{"reference_url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca"},{"reference_url":"https://huntr.com/bounties/ecf5ccc4-39e7-4fb3-b547-14a41d31a184","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T15:19:35Z/"}],"url":"https://huntr.com/bounties/ecf5ccc4-39e7-4fb3-b547-14a41d31a184"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376761","reference_id":"2376761","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376761"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3262","reference_id":"CVE-2025-3262","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3262"},{"reference_url":"https://github.com/advisories/GHSA-489j-g2vx-39wf","reference_id":"GHSA-489j-g2vx-39wf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-489j-g2vx-39wf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85639?format=json","purl":"pkg:pypi/transformers@4.51.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3gc6-hf7m-qbfn"},{"vulnerability":"VCID-46y8-cawt-g7br"},{"vulnerability":"VCID-4p99-5cwj-8fbn"},{"vulnerability":"VCID-aqqd-thbn-byaf"},{"vulnerability":"VCID-pn57-nb2x-n7gw"},{"vulnerability":"VCID-s9jb-vbrz-2qa5"},{"vulnerability":"VCID-w57w-5mrk-cqbr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.51.0"}],"aliases":["CVE-2025-3262","GHSA-489j-g2vx-39wf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-msje-w8r1-wkh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57642?format=json","vulnerability_id":"VCID-pn57-nb2x-n7gw","summary":"Transformers is vulnerable to ReDoS attack through its DonutProcessor class\nA Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3933.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3933.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3933","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25255","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25321","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25304","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3933"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:34:20Z/"}],"url":"https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93"},{"reference_url":"https://github.com/huggingface/transformers/pull/37788","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/37788"},{"reference_url":"https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:34:20Z/"}],"url":"https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379517","reference_id":"2379517","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2379517"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3933","reference_id":"CVE-2025-3933","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3933"},{"reference_url":"https://github.com/advisories/GHSA-37mw-44qp-f5jm","reference_id":"GHSA-37mw-44qp-f5jm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-37mw-44qp-f5jm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85634?format=json","purl":"pkg:pypi/transformers@4.52.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3gc6-hf7m-qbfn"},{"vulnerability":"VCID-46y8-cawt-g7br"},{"vulnerability":"VCID-aqqd-thbn-byaf"},{"vulnerability":"VCID-s9jb-vbrz-2qa5"},{"vulnerability":"VCID-w57w-5mrk-cqbr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.52.1"}],"aliases":["CVE-2025-3933","GHSA-37mw-44qp-f5jm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pn57-nb2x-n7gw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57583?format=json","vulnerability_id":"VCID-qyfa-xf7d-n3gt","summary":"Transformers vulnerable to ReDoS attack through its get_imports() function\nA Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\\s*try\\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3264.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3264.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3264","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26543","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26595","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26585","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-3264"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:37:34Z/"}],"url":"https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"},{"reference_url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca"},{"reference_url":"https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:37:34Z/"}],"url":"https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376768","reference_id":"2376768","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2376768"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3264","reference_id":"CVE-2025-3264","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3264"},{"reference_url":"https://github.com/advisories/GHSA-jjph-296x-mrcr","reference_id":"GHSA-jjph-296x-mrcr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jjph-296x-mrcr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85639?format=json","purl":"pkg:pypi/transformers@4.51.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3gc6-hf7m-qbfn"},{"vulnerability":"VCID-46y8-cawt-g7br"},{"vulnerability":"VCID-4p99-5cwj-8fbn"},{"vulnerability":"VCID-aqqd-thbn-byaf"},{"vulnerability":"VCID-pn57-nb2x-n7gw"},{"vulnerability":"VCID-s9jb-vbrz-2qa5"},{"vulnerability":"VCID-w57w-5mrk-cqbr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.51.0"}],"aliases":["CVE-2025-3264","GHSA-jjph-296x-mrcr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qyfa-xf7d-n3gt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75928?format=json","vulnerability_id":"VCID-s9jb-vbrz-2qa5","summary":"transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6051.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6051.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6051","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12395","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12431","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12432","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6051"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216"},{"reference_url":"https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T15:59:46Z/"}],"url":"https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0"},{"reference_url":"https://github.com/huggingface/transformers/pull/38844","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/pull/38844"},{"reference_url":"https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T15:59:46Z/"}],"url":"https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6051","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6051"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2395072","reference_id":"2395072","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2395072"},{"reference_url":"https://github.com/advisories/GHSA-rcv9-qm8p-9p6j","reference_id":"GHSA-rcv9-qm8p-9p6j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rcv9-qm8p-9p6j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70589?format=json","purl":"pkg:pypi/transformers@4.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aqqd-thbn-byaf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0"}],"aliases":["CVE-2025-6051","GHSA-rcv9-qm8p-9p6j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s9jb-vbrz-2qa5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57789?format=json","vulnerability_id":"VCID-w57w-5mrk-cqbr","summary":"Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability\nA Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5197.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5197.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-5197","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26543","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26595","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26585","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-5197"},{"reference_url":"https://github.com/huggingface/transformers","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers"},{"reference_url":"https://github.com/huggingface/transformers/commit/701caef704e356dc2f9331cc3fd5df0eccb4720a","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/huggingface/transformers/commit/701caef704e356dc2f9331cc3fd5df0eccb4720a"},{"reference_url":"https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T13:02:53Z/"}],"url":"https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b"},{"reference_url":"https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-06T13:02:53Z/"}],"url":"https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2386842","reference_id":"2386842","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2386842"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5197","reference_id":"CVE-2025-5197","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5197"},{"reference_url":"https://github.com/advisories/GHSA-9356-575x-2w9m","reference_id":"GHSA-9356-575x-2w9m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9356-575x-2w9m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70589?format=json","purl":"pkg:pypi/transformers@4.53.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aqqd-thbn-byaf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.53.0"}],"aliases":["CVE-2025-5197","GHSA-9356-575x-2w9m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w57w-5mrk-cqbr"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/transformers@4.50.1"}