-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| transformers | pip | < 4.51.0 | 4.51.0 |
Miggo AIRoot Cause AnalysisThe vulnerability is a Regular Expression Denial of Service (ReDoS) caused by inefficient regular expressions in three different parts of the transformers library. The primary vulnerable function, as stated in the description, is get_configuration_file in src/transformers/configuration_utils.py. The commit 126abe3461762e5fc180e7e614391d1b4ab051ca clearly shows the removal of the vulnerable regex config\.(.*)\.json and its replacement with a safe string manipulation approach. The same commit also addresses two other ReDoS vulnerabilities. The first is in the run method of the ChatCommand class in src/transformers/commands/chat.py, where a vulnerable regex for parsing chat settings is replaced by a dedicated validation function. The second is in the get_imports function in src/transformers/dynamic_module_utils.py, where regex-based import parsing is replaced with a more secure AST-based approach. All three functions are directly involved in processing potentially untrusted input (file names, chat commands, or file content), making them the vulnerable functions that would appear in a runtime profile during exploitation.