Transformers: the model-definition framework for state-of-the-art machine learning models in text, vision, audio, and multimodal models, for both inference and training.
Apache 2.0 License
All Versions
Vulnerabilities (Public)
Known vulnerabilities and security issues detected in the extension's dependencies and code.
| Vulnerability ID | Advisory | Affected Versions | |||
|---|---|---|---|---|---|
| CVE-2026-1839 | Affected versions of the transformers package are vulnerable to Deserialization of Untrusted Data due to an unsafe torch.load() invocation within the Trainer class that omits the weights_only=True par… | High | – | – | <5.0.0rc3 |
| CVE-2025-6921 | Affected versions of the transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to unbounded evaluation of user-supplied regular expressions in the AdamWeightDecay._do… | High | – | – | <4.53.0 |
| CVE-2025-6638 | Affected versions of the transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient regular expressions in the MarianTokenizer.remove_language_code() method… | High | – | – | <4.53.0 |
| CVE-2025-3262 | Affected versions of the Hugging Face Transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient regex patterns in multiple components. The vulnerable regul… | High | – | – | >=4.49.0,<4.51.0 |
| CVE-2025-5197 | Affected versions of the Hugging Face Transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to an inefficient regex pattern in weight name conversion. The convert_tf_… | Medium | – | – | <4.53.0 |
| CVE-2025-6051 | Affected versions of the transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient regular expressions in the EnglishNormalizer.normalize_numbers() method.… | Medium | – | – | <4.53.0 |
| CVE-2025-3933 | Affected versions of the `transformers` package are vulnerable to Regular Expression Denial of Service (ReDoS) due to unbounded regular expression complexity. The `DonutProcessor` class's `token2json(… | Medium | – | – | >=4.22.0,<4.52.0 |
| CVE-2025-3263 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.c… | Medium | – | – | <4.51.0 |
| CVE-2025-3264 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. Thi… | Medium | – | – | <4.51.0 |
| CVE-2025-3777 | Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the… | Low | – | – | <4.52.1 |
Page 1
Safety Discovered Vulnerabilities
Additional security issues found by Safety, exclusive to our platform.