Strix
26.1K

CVE-2025-6921

HIGHCVSS 7.5/10EPSS 0.47%

Last modified

CVE-2025-6921 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. EPSS estimates a 0.47% chance of exploitation in the next 30 days.

Description

The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.47%

37.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
HuggingfaceTransformers< 4.53.0

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-6921?
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. Malicious regular expressions can cause catastrophic backtracking during the re.search call, leading to 100% CPU utilization and a denial of service. This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.
How severe is CVE-2025-6921?
CVE-2025-6921 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.47% probability of exploitation in the next 30 days.
How do I fix CVE-2025-6921?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-6921?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST