Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-46y8-cawt-g7br
Vulnerability ID VCID-46y8-cawt-g7br
Aliases CVE-2025-6921
GHSA-4w7r-h757-3r74
Summary Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-400 Uncontrolled Resource Consumption
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6921.json
epss 0.00036 https://api.first.org/data/v1/epss?cve=CVE-2025-6921
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-4w7r-h757-3r74
cvssv3.1 5.3 https://github.com/huggingface/transformers
generic_textual MODERATE https://github.com/huggingface/transformers
cvssv3 5.3 https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
cvssv3.1 5.3 https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
generic_textual MODERATE https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
ssvc Track https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
cvssv3.1 5.3 https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
generic_textual MODERATE https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
cvssv3 5.3 https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
cvssv3.1 5.3 https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
generic_textual MODERATE https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
ssvc Track https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2025-6921
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-6921
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6921.json
https://api.first.org/data/v1/epss?cve=CVE-2025-6921
https://github.com/huggingface/transformers
https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
2397617 https://bugzilla.redhat.com/show_bug.cgi?id=2397617
CVE-2025-6921 https://nvd.nist.gov/vuln/detail/CVE-2025-6921
GHSA-4w7r-h757-3r74 https://github.com/advisories/GHSA-4w7r-h757-3r74
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6921.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-23T14:56:14Z/ Found at https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-23T14:56:14Z/ Found at https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-6921
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.11116
EPSS Score 0.00036
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:47:56.218917+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/transformers/CVE-2025-6921.yml 38.6.0