Bug 2394799 (CVE-2025-6638)

Summary: CVE-2025-6638 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alinfoot, anpicker, bbrownin, bparees, carogers, dfreiber, drivingdirectionsonline, drow, dtrifiro, erezende, haoli, hasun, hkataria, jajackso, jburrell, jcammara, jfula, jkoehler, jmitchel, jneedle, jowilson, jwong, kegrant, koliveir, kshier, lphiri, mabashia, mhayden, nyancey, omaciel, ometelka, pbohmill, pbraun, ptisnovs, quaint.mackerel.rttv, rbryant, sdoran, shvarugh, simaishi, smcdonal, stcannon, syedriko, teagle, tfister, thavo, ttakamiy, vkumar, weaton, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library. he issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-09-12 11:01:27 UTC 
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
Comment 2 Marcus Clooney 2025-09-16 01:56:02 UTC 
This bug impacts my https://slitheriogame.io web game that uses huggingface/transformers. The ReDoS issue slows down gameplay when certain inputs are processed.
Comment 4 drivingdirections 2026-01-21 08:08:39 UTC 
This update addresses CVE-2025-6638, a medium-severity https://mapsdirectionsdriving.com/ ReDoS vulnerability in huggingface/transformers. While impact is limited, fixing it is necessary to prevent potential denial-of-service risks in regex processing. Silent deployment is appropriate, but downstream users should still update promptly.