VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-35kz-esn2-1yf5

Essentials
Severities (19)
References (10)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-35kz-esn2-1yf5
Aliases	CVE-2025-6051 GHSA-rcv9-qm8p-9p6j
Summary	A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1333	Inefficient Regular Expression Complexity
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6051.json
epss	0.00034	https://api.first.org/data/v1/epss?cve=CVE-2025-6051
epss	0.00034	https://api.first.org/data/v1/epss?cve=CVE-2025-6051
cvssv3.1	5.3	https://github.com/huggingface/transformers
generic_textual	MODERATE	https://github.com/huggingface/transformers
cvssv3.1	5.3	https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216
generic_textual	MODERATE	https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216
cvssv3	5.3	https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0
cvssv3.1	5.3	https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0
generic_textual	MODERATE	https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0
ssvc	Track	https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0
cvssv3.1	5.3	https://github.com/huggingface/transformers/pull/38844
generic_textual	MODERATE	https://github.com/huggingface/transformers/pull/38844
cvssv3	5.3	https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d
cvssv3.1	5.3	https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d
generic_textual	MODERATE	https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d
ssvc	Track	https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2025-6051
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-6051

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6051.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-6051
		https://github.com/huggingface/transformers
		https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216
		https://github.com/huggingface/transformers/pull/38844
		https://nvd.nist.gov/vuln/detail/CVE-2025-6051
2395072		https://bugzilla.redhat.com/show_bug.cgi?id=2395072
af929523-7b59-418a-bf55-301830b2ac9d		https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d
ba8eaba9865618253f997784aa565b96206426f0		https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0
GHSA-rcv9-qm8p-9p6j		https://github.com/advisories/GHSA-rcv9-qm8p-9p6j

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6051.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T15:59:46Z/ Found at https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/pull/38844

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T15:59:46Z/ Found at https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-6051

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.10351
EPSS Score	0.00034
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:09:02.087879+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/6xxx/CVE-2025-6051.json	38.6.0