CVE-2025-3933: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, sp
Summary
A ReDoS (regular expression denial of service, where carefully designed text input causes a regex pattern to consume excessive CPU) vulnerability was found in the Hugging Face Transformers library's DonutProcessor class, affecting versions 4.50.3 and earlier. The vulnerable regex pattern can be exploited through crafted input strings to cause the system to slow down or crash, disrupting document processing tasks that use the Donut model.
Solution / Mitigation
Update the Hugging Face Transformers library to version 4.52.1 or later, as this version contains the fix for the vulnerability.
Vulnerability Details
5.3(medium)
EPSS: 0.0%
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-3933
First tracked: February 15, 2026 at 08:46 PM
Classified by LLM (prompt v3) · confidence: 95%