SecuriTricks - CVE-2024-12720

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3 (latest).

Product(s) Impacted

Vendor	Product	Versions
Huggingface	Transformers	4.46.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1333

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	huggingface	transformers	4.46.3	/	/	/	/	/	/	/

References

https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf

https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98

CVSS Score

5.3 / 10

CVSS Data - 3.0

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

View Vector String

Timeline

Published: March 20, 2025, 10:15 a.m.
Last Modified: March 20, 2025, 2:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@huntr.dev

CVE-2024-12720