Hugging Face Transformers Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the `preprocess_string()` function of the `transformers.testing_utils` module in Hugging Face Transformers version 4.48.3. The vulnerability arises from a regular expression used to process code blocks in docstrings, which contains nested quantifiers. This structure can lead to exponential backtracking when the input includes a large number of newline characters. An attacker could exploit this by sending specially crafted payloads, causing significant CPU usage and potential application downtime, thereby creating a Denial-of-Service scenario.

Impact

Exploitation of this vulnerability leads to high CPU usage and potential application downtime, causing a Denial-of-Service condition.

Reproduction

The vulnerability can be reproduced by using the `HfDocTestParser` from the `transformers.testing_utils` module` to parse a docstring payload that includes a large number of newline characters. This can be done by creating a string that mimics a code block in Markdown, with the `>>>` prompt followed by multiple newline characters. When this payload is processed, the regular expression's nested quantifiers cause excessive backtracking, dramatically increasing the execution time and CPU usage.

Remediation

Users can upgrade to Hugging Face Transformers version 4.50.0 or later, where this vulnerability has been fixed.