cvedb.io
CVE-2025-1194
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2025-04-29T12:15:31.717 · Last modified 2026-06-17T08:38:34.587

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

Affected products

huggingface — transformers

Does this affect you?

Add your gear to cvedb and we'll alert you only when huggingface ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.