PyPI: transformers

CVE-2025-3933

Safety vulnerability ID: SFTY-20250711-93122

Safety legacy ID: pyup.io-78153

Affected versions of the `transformers` package are vulnerable to Regular Expression Denial of Service (ReDoS) due to unbounded regular expression complexity. The `DonutProcessor` class's `token2json()` method employs the regex pattern `<s_(.*?)>`, which can be manipulated to trigger catastrophic backtracking with crafted input strings. An attacker can exploit this by providing malicious input to the method, leading to excessive CPU consumption and potential service disruption during document processing tasks.

PythonPyPINVDNVDGitHubGHSA
Created at: Jan 6, 2026Updated at: Jan 6, 2026

Overview

Transformers is vulnerable to ReDoS attack through its DonutProcessor class

Advisory

Affected versions of the `transformers` package are vulnerable to Regular Expression Denial of Service (ReDoS) due to unbounded regular expression complexity. The `DonutProcessor` class's `token2json()` method employs the regex pattern `<s_(.*?)>`, which can be manipulated to trigger catastrophic backtracking with crafted input strings. An attacker can exploit this by providing malicious input to the method, leading to excessive CPU consumption and potential service disruption during document processing tasks.

Affected Package

Affecting transformers package, versions
>=4.22.0,<4.52.0

Also affects

---

How to Fix

Upgrade
transformers
to
4.52.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more