Hugging Face Transformers Library Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the 'get_configuration_file()' function of the 'transformers.configuration_utils' module. The vulnerability is present in version 4.49.0 and arises from a regular expression pattern that can be manipulated to cause excessive CPU usage through crafted input strings, leading to catastrophic backtracking. This exploitation can disrupt model serving, exhaust resources, and increase application latency.

Impact

Exploitation of this vulnerability causes excessive CPU consumption, leading to resource exhaustion, increased application latency, and potential disruption of model serving.

Reproduction

The vulnerability can be reproduced by using the Hugging Face Transformers library version 4.49.0 and calling the 'get_configuration_file()' function with a crafted input string that exploits the regular expression pattern 'config\.(.*)\.json'. This input should be designed to cause catastrophic backtracking in the regular expression engine, which can be achieved by creating a string that the regular expression will match in a way that requires excessive processing time.

Remediation

Users can upgrade to Hugging Face Transformers version 4.51.0 or later to address this vulnerability.