CVE-2024-12720

moderate-risk
Published 2025-03-20

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3 (latest).

Do I need to act?

-
0.14% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Huggingface

References (3)

Patch https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82...
Vendor Advisory https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98
Vendor Advisory https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98
32
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal