Miggo Logo

CVE-2025-3264: Transformers vulnerable to ReDoS attack through its get_imports() function

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.24608%
Published
7/7/2025
Updated
7/8/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
transformerspip< 4.51.04.51.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly points to the get_imports function in dynamic_module_utils.py as the source of the ReDoS vulnerability. The provided commit 126abe3461762e5fc180e7e614391d1b4ab051ca confirms this by showing the removal of the vulnerable regex-based implementation and its replacement with a safer AST-based approach. The patch evidence clearly shows the line with re.sub and the problematic regex that was removed, which is the root cause of the vulnerability. Therefore, I can confidently identify transformers.dynamic_module_utils.get_imports as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) vuln*r**ility w*s *is*ov*r** in t** *u**in* **** Tr*ns*orm*rs li*r*ry, sp**i*i**lly in t** `**t_imports()` *un*tion wit*in `*yn*mi*_mo*ul*_utils.py`. T*is vuln*r**ility *****ts v*rsions *.**.* *n* is *ix

Reasoning

T** vuln*r**ility **s*ription *xpli*itly points to t** `**t_imports` *un*tion in `*yn*mi*_mo*ul*_utils.py` *s t** sour** o* t** R**oS vuln*r**ility. T** provi*** *ommit `****************************************` *on*irms t*is *y s*owin* t** r*mov*l o