← Back to CVEs
CVE-2025-3933
MEDIUM5.3
Description
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
CVE Details
CVSS v3.1 Score5.3
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published7/11/2025
Last Modified8/7/2025
Sourcenvd
Honeypot Sightings0
Affected Products
huggingface:transformers
Weaknesses (CWE)
CWE-1333
References
https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93(security@huntr.dev)
https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b(security@huntr.dev)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.