CVE-2025-6921: 
NixOS vulnerability analysis and mitigation

CVE-2025-6921 affects the huggingface/transformers library versions prior to 4.53.0. The vulnerability is a Regular Expression Denial of Service (ReDoS) issue in the AdamWeightDecay optimizer. This vulnerability was discovered and disclosed on September 23, 2025 (NVD).

The vulnerability exists in the _do_use_weight_decay method of the AdamWeightDecay optimizer, which processes user-controlled regular expressions in the include_in_weight_decay and exclude_from_weight_decay lists. When processing these regular expressions, the re.search call can trigger catastrophic backtracking, leading to 100% CPU utilization. The vulnerability has been assigned a CVSS v3.0 base score of 5.3 (Medium) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD, Huntr).

When exploited, this vulnerability can cause the machine learning task to hang and render services unresponsive through 100% CPU utilization. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in version 4.53.0 of the huggingface/transformers library. The fix involves removing the use of regular expressions entirely, as evidenced by the patch commit (Github Commit). Users should upgrade to version 4.53.0 or later to mitigate this vulnerability.