4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-1194

GHSA ID

GHSA-fpwr-67px-3qhx

EPSS Score

0.14995%

CWE

CWE-1333

Published

4/29/2025

Updated

4/29/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-1194

CVE-2025-1194: Transformers Regular Expression Denial of Service (ReDoS) vulnerability

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

(GitHub Advisory)

4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-1194

GHSA ID

GHSA-fpwr-67px-3qhx

EPSS Score

0.14995%

CWE

CWE-1333

Published

4/29/2025

Updated

4/29/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
transformers	pip	< 4.50.0	4.50.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description points to a ReDoS in tokenization_gpt_neox_japanese.py within the SubWordJapaneseTokenizer class due to a problematic regex. The provided commit 92c5ca9dd70de3ade2af2eb835c96215cc50e815 confirms this by modifying the self.content_repatter6 regex in the __init__ method of this class. The same vulnerable pattern and fix were identified in the __init__ method of the SubWordJapaneseTokenizer class within the deprecated gptsan_japanese module. Additionally, the commit addresses another ReDoS vulnerability in the normalize_list_like_lines function in tokenization_nougat_fast.py by removing a complex regex and refactoring the function. These functions are identified as vulnerable because they either define (in __init__ methods, where the regex is compiled) or directly utilize (in normalize_list_like_lines) regular expressions prone to catastrophic backtracking, leading to excessive CPU usage and potential DoS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) vuln*r**ility w*s i**nti*i** in t** *u**in*****/tr*ns*orm*rs li*r*ry, sp**i*i**lly in t** *il* `tok*niz*tion_*pt_n*ox_j*p*n*s*.py` o* t** *PT-N*oX-J*p*n*s* mo**l. T** vuln*r**ility o**urs in t** Su*Wor*J

Reasoning

T** vuln*r**ility **s*ription points to * R**oS in `tok*niz*tion_*pt_n*ox_j*p*n*s*.py` wit*in t** `Su*Wor*J*p*n*s*Tok*niz*r` *l*ss *u* to * pro*l*m*ti* r***x. T** provi*** *ommit `****************************************` *on*irms t*is *y mo*i*yin* t

4.3

Basic Information

Concerned about an active attack path?

CVE-2025-1194: Transformers Regular Expression Denial of Service (ReDoS) vulnerability

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI