5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-3264

GHSA ID

GHSA-jjph-296x-mrcr

EPSS Score

0.24608%

CWE

CWE-1333

Published

7/7/2025

Updated

7/8/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-3264

CVE-2025-3264: Transformers vulnerable to ReDoS attack through its get_imports() function

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_imports() function within dynamic_module_utils.py. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern \s*try\s*:.*?except.*?: used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

(GitHub Advisory)

5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-3264

GHSA ID

GHSA-jjph-296x-mrcr

EPSS Score

0.24608%

CWE

CWE-1333

Published

7/7/2025

Updated

7/8/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
transformers	pip	< 4.51.0	4.51.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly points to the get_imports function in dynamic_module_utils.py as the source of the ReDoS vulnerability. The provided commit 126abe3461762e5fc180e7e614391d1b4ab051ca confirms this by showing the removal of the vulnerable regex-based implementation and its replacement with a safer AST-based approach. The patch evidence clearly shows the line with re.sub and the problematic regex that was removed, which is the root cause of the vulnerability. Therefore, I can confidently identify transformers.dynamic_module_utils.get_imports as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) vuln*r**ility w*s *is*ov*r** in t** *u**in* **** Tr*ns*orm*rs li*r*ry, sp**i*i**lly in t** `**t_imports()` *un*tion wit*in `*yn*mi*_mo*ul*_utils.py`. T*is vuln*r**ility *****ts v*rsions *.**.* *n* is *ix

Reasoning

T** vuln*r**ility **s*ription *xpli*itly points to t** `**t_imports` *un*tion in `*yn*mi*_mo*ul*_utils.py` *s t** sour** o* t** R**oS vuln*r**ility. T** provi*** *ommit `****************************************` *on*irms t*is *y s*owin* t** r*mov*l o

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-3264: Transformers vulnerable to ReDoS attack through its get_imports() function

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI