CVE-2025-1194: 
NixOS vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library (CVE-2025-1194), specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability was discovered on April 29, 2025, affecting version v4.48.1. The issue occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs (NVD).

The vulnerability stems from a regex pattern exhibiting exponential complexity under certain conditions, leading to excessive backtracking. The issue is present in the content_repatter6 regex implementation within the SubWordJapaneseTokenizer class. The vulnerability has been assigned a CVSS v3.0 score of 4.3 (MEDIUM) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L. The weakness has been categorized as CWE-1333 (Inefficient Regular Expression Complexity) (NVD, HF Commit).

When exploited, this vulnerability can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The impact is particularly significant when processing specially crafted inputs that trigger the exponential backtracking behavior in the regex pattern (NVD).

A fix has been implemented in the HuggingFace transformers repository through commit 92c5ca9. The solution involves using possessive quantifiers for Python versions >= 3.11 and a simplified regex pattern for earlier versions, both designed to prevent catastrophic backtracking while maintaining the same functionality (HF Commit).