CVE-2025-2099: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-2099) was discovered in the preprocess_string() function of the transformers.testing_utils module in huggingface/transformers version v4.48.3. The vulnerability was disclosed on May 19, 2025, and is classified as a Regular Expression Denial of Service (ReDoS) vulnerability that affects the code block processing functionality in docstrings (NVD, Wiz).

The vulnerability stems from nested quantifiers in the regular expression pattern ((?:python|py)\s*\n\s*>>> )((?:.*?\n)*?.*?) used to process code blocks in docstrings. This pattern can lead to exponential backtracking when processing input with a large number of newline characters. The vulnerability has been assigned varying CVSS scores: a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and a CVSS v3.0 base score of 5.3 (Medium) with vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD, Wiz).

When exploited, this vulnerability can cause high CPU usage and potential application downtime through a Denial of Service (DoS) scenario. The impact is primarily on the availability of the system, with no direct effect on confidentiality or integrity (NVD, Wiz).

A fix has been implemented by simplifying the regular expression pattern to ((?:python|py)\s*\n\s*>>> )(.*?) and modifying the re.split() function call to use the flags parameter correctly. The patch is available in the repository commit (GitHub Commit).