CVE-2025-3262: 
NixOS vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2025-3262) was discovered in the huggingface/transformers repository version 4.49.0. The vulnerability exists in the SETTING_RE variable within the transformers/commands/chat.py file, where inefficient regular expression complexity could lead to potential denial-of-service conditions. The issue was disclosed on July 7, 2025, and has been fixed in version 4.51.0 (NVD).

The vulnerability stems from inefficient regular expression complexity in the chat.py file, specifically in the SETTING_RE variable. The regex implementation contains repetition groups and non-optimized quantifiers that can cause exponential backtracking when processing 'almost matching' payloads. The vulnerability has been assigned a CVSS v3.0 base score of 5.3 (Medium) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD, Huntr).

When exploited, this vulnerability can degrade application performance and potentially result in a denial-of-service (DoS) condition when handling specially crafted input strings. The impact is primarily focused on availability, with no direct effect on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in huggingface/transformers version 4.51.0. Users are advised to upgrade to this version or later to mitigate the vulnerability (Github).