Hugging Face Transformers Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability exists in Hugging Face Transformers version 4.49.0. The issue arises from inefficient regular expression complexity in the 'SETTING_RE' variable within 'transformers/commands/chat.py'. The regex's repetition groups and non-optimized quantifiers cause exponential backtracking when processing 'almost matching' payloads, which can degrade application performance and potentially lead to a denial-of-service condition with specially crafted input strings.

Impact

Exploitation of this vulnerability can cause a degradation of application performance, potentially leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using Hugging Face Transformers version 4.49.0 and inputting strings that are 'almost matching' to the vulnerable regular expression. This can be done by creating a payload that takes advantage of the regex's repetition groups and non-optimized quantifiers, causing the regex engine to perform excessive backtracking. Once the vulnerability is triggered, the application will experience a noticeable slowdown, demonstrating the denial-of-service condition.

Remediation

Users can upgrade to Hugging Face Transformers version 4.51.0 or later to address this vulnerability.