PyPI: transformers
CVE-2025-6921
Safety vulnerability ID: SFTY-20250923-83793
Safety legacy ID: pyup.io-79855
Affected versions of the transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to unbounded evaluation of user-supplied regular expressions in the AdamWeightDecay._do_use_weight_decay method. The TensorFlow optimizer’s _do_use_weight_decay iterates over include_in_weight_decay and exclude_from_weight_decay lists and calls re.search on each pattern against parameter names, enabling catastrophic backtracking on crafted inputs. An attacker who can control these lists can provide pathological patterns that saturate the CPU and cause processes using transformers to hang, resulting in a Denial of Service.
Overview
Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer
Advisory
Affected versions of the transformers package are vulnerable to Regular Expression Denial of Service (ReDoS) due to unbounded evaluation of user-supplied regular expressions in the AdamWeightDecay._do_use_weight_decay method. The TensorFlow optimizer’s _do_use_weight_decay iterates over include_in_weight_decay and exclude_from_weight_decay lists and calls re.search on each pattern against parameter names, enabling catastrophic backtracking on crafted inputs. An attacker who can control these lists can provide pathological patterns that saturate the CPU and cause processes using transformers to hang, resulting in a Denial of Service.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250923-83793/CVE-2025-6921
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6921
- https://github.com/advisories/GHSA-4w7r-h757-3r74
- https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
- https://nvd.nist.gov/vuln/detail/CVE-2025-6921
- https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be
- https://huntr.com/bounties/287d15a7-6e7c-45d2-8c05-11e305776f1f
- https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099
- https://github.com/advisories/GHSA-4w7r-h757-3r74
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more