CVE-2025-6921: The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (R
Summary
The huggingface/transformers library before version 4.53.0 has a vulnerability where malicious regular expressions (patterns used to match text) in certain settings can cause ReDoS (regular expression denial of service, a type of attack that makes a system use 100% CPU and become unresponsive). An attacker who can control these regex patterns in the AdamWeightDecay optimizer (a tool that helps train machine learning models) can make the system hang and stop working.
Solution / Mitigation
Update to huggingface/transformers version 4.53.0 or later.
Vulnerability Details
7.5(high)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-6921
First tracked: February 15, 2026 at 08:44 PM
Classified by LLM (prompt v3) · confidence: 95%