CVE-2025-3263: 
NixOS vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library (CVE-2025-3263), specifically affecting the get_configuration_file() function within the transformers.configuration_utils module. The vulnerability exists in version 4.49.0 and was resolved in version 4.51.0. The issue was discovered and reported through the huntr.dev platform (NVD, Huntr).

The vulnerability stems from the implementation of a regular expression pattern config.(.*)\json in the configuration file handling functionality. This pattern is susceptible to catastrophic backtracking when processing crafted input strings. The vulnerability has been assigned a CVSS 3.0 base score of 5.3 (MEDIUM) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating a network-accessible vulnerability with low attack complexity and no required privileges (NVD).

When exploited, this vulnerability can lead to excessive CPU consumption, resulting in model serving disruption, resource exhaustion, and increased latency in applications using the Hugging Face Transformers library. The impact primarily affects the availability of services without compromising confidentiality or integrity (NVD).

The vulnerability has been patched in version 4.51.0 of the Hugging Face Transformers library. Users are strongly advised to upgrade to this version or later to mitigate the risk. The fix was implemented through a commit that addresses the regular expression pattern issue (Github).