CVE-2025-3264: 
Hugging Face Transformers vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library (CVE-2025-3264), specifically in the get_imports() function within dynamic_module_utils.py. The vulnerability affects versions 4.49.0 and was fixed in version 4.51.0. The issue was disclosed on July 7, 2025 (NVD).

The vulnerability stems from a regular expression pattern \s*try\s*:.*?except.*?: used to filter out try/except blocks from Python code. This pattern can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability has been assigned a CVSS 3.0 base score of 5.3 (MEDIUM) with vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L and is classified under CWE-1333 (Inefficient Regular Expression Complexity) (NVD).

The vulnerability can lead to multiple adverse effects including remote code loading disruption, resource exhaustion in model serving, potential supply chain attack vectors, and development pipeline disruption. The primary impact is on system availability through CPU resource consumption (NVD).

The vulnerability has been fixed in Hugging Face Transformers version 4.51.0. Users are advised to upgrade to this version or later to mitigate the issue (GitHub Commit).