CVE-2025-6638

ADVISORY - github

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's remove_language_code() method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.

EPSS Score⁠: 0.00076 (0.232)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-1333⁠

Inefficient Regular Expression Complexity

ADVISORY - github

CWE-1333⁠

Inefficient Regular Expression Complexity

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-1333⁠

Inefficient Regular Expression Complexity

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories

NIST

CREATED

3 months ago

UPDATED

2 months ago

ADVISORY IDCVE-2025-6638⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

7.5high

GitHub

CREATED

3 months ago

UPDATED

3 months ago

ADVISORY IDGHSA-59p9-h35m-wg4g⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.3medium

GitLab

CREATED

3 months ago

UPDATED

3 months ago

ADVISORY ID

CVE-2025-6638

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1035⁠CWE-1333⁠CWE-937⁠

CVSS SCORE

5.3medium

Chainguard

CREATED

19 days ago

UPDATED

19 days ago

ADVISORY ID

CGA-ggxp-w36f-2g8p

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY