PyPI: transformers

CVE-2025-6051

Safety vulnerability ID: SFTY-20250914-55651

Safety legacy ID: pyup.io-79595

Affected versions of the transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient regular expressions in the EnglishNormalizer.normalize_numbers() method. The normalize_numbers() implementation in src/transformers/models/clvp/number_normalizer.py applies number-matching patterns such as ([0-9][0-9,]+[0-9]) to untrusted input without atomic grouping or bounds, allowing catastrophic backtracking and excessive CPU consumption.

PythonPyPINVDNVDGitHubGHSA
Created at: Nov 5, 2025Updated at: Nov 5, 2025

Overview

Hugging Face Transformers library has Regular Expression Denial of Service

Advisory

Affected versions of the transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient regular expressions in the EnglishNormalizer.normalize_numbers() method. The normalize_numbers() implementation in src/transformers/models/clvp/number_normalizer.py applies number-matching patterns such as ([0-9][0-9,]+[0-9]) to untrusted input without atomic grouping or bounds, allowing catastrophic backtracking and excessive CPU consumption.

Affected Package

Affecting transformers package, versions
<4.53.0

Also affects

---

How to Fix

Upgrade
transformers
to
4.53.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more