Bug 2394799 (CVE-2025-6638) - CVE-2025-6638 transformers: Regular Expression Denial of Service (ReDoS) in huggingface/transformers
Summary: CVE-2025-6638 transformers: Regular Expression Denial of Service (ReDoS) in h...
Keywords:
Status: NEW
Alias: CVE-2025-6638
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-12 11:01 UTC by OSIDB Bzimport
Modified: 2026-01-21 08:08 UTC (History)
50 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-12 11:01:27 UTC 
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
Comment 2 Marcus Clooney 2025-09-16 01:56:02 UTC 
This bug impacts my https://slitheriogame.io web game that uses huggingface/transformers. The ReDoS issue slows down gameplay when certain inputs are processed.
Comment 4 drivingdirections 2026-01-21 08:08:39 UTC 
This update addresses CVE-2025-6638, a medium-severity https://mapsdirectionsdriving.com/ ReDoS vulnerability in huggingface/transformers. While impact is limited, fixing it is necessary to prevent potential denial-of-service risks in regex processing. Silent deployment is appropriate, but downstream users should still update promptly.
Note You need to log in before you can comment on or make changes to this bug.