Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pvb2-bzaz-w3bv
Vulnerability ID VCID-pvb2-bzaz-w3bv
Aliases CVE-2025-6638
GHSA-59p9-h35m-wg4g
Summary A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1333 Inefficient Regular Expression Complexity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6638.json
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2025-6638
cvssv3.1 5.3 https://github.com/huggingface/transformers
generic_textual MODERATE https://github.com/huggingface/transformers
cvssv3 5.3 https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
cvssv3.1 5.3 https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
generic_textual MODERATE https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
ssvc Track https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
cvssv3.1 5.3 https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
generic_textual MODERATE https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
cvssv3 5.3 https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36
cvssv3.1 5.3 https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36
generic_textual MODERATE https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36
ssvc Track https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2025-6638
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-6638
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6638.json
https://api.first.org/data/v1/epss?cve=CVE-2025-6638
https://github.com/huggingface/transformers
https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
https://nvd.nist.gov/vuln/detail/CVE-2025-6638
2394799 https://bugzilla.redhat.com/show_bug.cgi?id=2394799
47c34fba5c303576560cb29767efb452ff12b8be https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
6a6c933f-9ce8-4ded-8b3b-2c1444c61f36 https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36
GHSA-59p9-h35m-wg4g https://github.com/advisories/GHSA-59p9-h35m-wg4g
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6638.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T11:52:42Z/ Found at https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-12T11:52:42Z/ Found at https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-6638
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.09874
EPSS Score 0.00032
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:09:17.668580+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/6xxx/CVE-2025-6638.json 38.6.0