opensearch-py-ml icon indicating copy to clipboard operation
opensearch-py-ml copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

CVE-2025-1194 (Medium) detected in transformers-4.49.0-py3-none-any.whl

Open mend-for-github-com[bot] opened this issue 7 months ago • 1 comments

CVE-2025-1194 - Medium Severity Vulnerability

Vulnerable Library - transformers-4.49.0-py3-none-any.whl

State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow

Library home page: https://files.pythonhosted.org/packages/20/37/1f29af63e9c30156a3ed6ebc2754077016577c094f31de7b2631e5d379eb/transformers-4.49.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20250502175959_GFJTEC/python_TAPWTV/20250502180002/transformers-4.49.0-py3-none-any.whl

Dependency Hierarchy:

  • :x: transformers-4.49.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: fca546cb0c3befa8a2ea52909690f598c18df050

Found in base branch: main

Vulnerability Details

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file "tokenization_gpt_neox_japanese.py" of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

Publish Date: 2025-04-29

URL: CVE-2025-1194

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-fpwr-67px-3qhx

Release Date: 2025-04-29

Fix Resolution: transformers - 4.50.0

  • [ ] Check this box to open an automated fix PR

mend-for-github-com[bot] avatar May 02 '25 18:05 mend-for-github-com[bot]

Well, transformers upgraded to the latest version here. Let's keep it open until a new major release

Yerzhaisang avatar May 06 '25 19:05 Yerzhaisang

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Sep 09 '25 19:09 mend-for-github-com[bot]