Hugging Face Transformers Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in version 4.46.3. The issue is located in the 'tokenization_nougat_fast.py' file within the 'post_process_single()' function. The vulnerability arises because a regular expression processes specially crafted input, exhibiting exponential time complexity under certain conditions. This leads to excessive backtracking, causing high CPU usage and potential application downtime, effectively creating a Denial-of-Service scenario.

Impact

Exploitation of this vulnerability causes high CPU usage and can lead to application downtime, creating a Denial-of-Service condition.

Reproduction

The vulnerability can be reproduced by using the 'NougatProcessor' class from the Transformers library. After loading the model, the 'post_process_single()' function can be called with input strings that include a series of '0' characters. The processing time increases exponentially with each additional character, demonstrating how maliciously crafted inputs can be used to exploit the vulnerability.

Remediation

Users can update to Hugging Face Transformers version 4.48.0 or later, where this vulnerability has been fixed.