Bug 2379517 (CVE-2025-3933)

Summary: CVE-2025-3933 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alinfoot, anpicker, bbrownin, bparees, dtrifiro, haoli, hasun, hkataria, jajackso, jcammara, jfula, jkoehler, jmitchel, jneedle, jowilson, jwong, kegrant, koliveir, kshier, lphiri, mabashia, nyancey, ometelka, pbraun, ptisnovs, rbryant, shvarugh, simaishi, smcdonal, stcannon, syedriko, teagle, tfister, thavo, ttakamiy, weaton, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A regular expression denial of service flaw has been discovered in the Hugging Face Transformers library. The DonutProcessor class's `token2json()` method may consume excessive CPU resources given maliciously designed input.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-11 10:01:18 UTC 
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.