Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ydcb-5t2c-1fen
Vulnerability ID VCID-ydcb-5t2c-1fen
Aliases CVE-2025-3933
GHSA-37mw-44qp-f5jm
Summary A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1333 Inefficient Regular Expression Complexity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3933.json
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2025-3933
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2025-3933
epss 0.00088 https://api.first.org/data/v1/epss?cve=CVE-2025-3933
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-37mw-44qp-f5jm
cvssv3.1 5.3 https://github.com/huggingface/transformers
generic_textual MODERATE https://github.com/huggingface/transformers
cvssv3 5.3 https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
cvssv3.1 5.3 https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
generic_textual MODERATE https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
ssvc Track https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
cvssv3.1 5.3 https://github.com/huggingface/transformers/pull/37788
generic_textual MODERATE https://github.com/huggingface/transformers/pull/37788
cvssv3 5.3 https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
cvssv3.1 5.3 https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
generic_textual MODERATE https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
ssvc Track https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2025-3933
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-3933
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3933.json
https://api.first.org/data/v1/epss?cve=CVE-2025-3933
https://github.com/huggingface/transformers
https://github.com/huggingface/transformers/pull/37788
https://nvd.nist.gov/vuln/detail/CVE-2025-3933
2379517 https://bugzilla.redhat.com/show_bug.cgi?id=2379517
25282953-5827-4384-bb6f-5790d275721b https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
ebbe9b12dd75b69f92100d684c47f923ee262a93 https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
GHSA-37mw-44qp-f5jm https://github.com/advisories/GHSA-37mw-44qp-f5jm
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3933.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:34:20Z/ Found at https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/huggingface/transformers/pull/37788
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:34:20Z/ Found at https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-3933
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.25244
EPSS Score 0.00088
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:18:55.009540+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/3xxx/CVE-2025-3933.json 38.6.0