Hugging Face Transformers Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the 'get_imports()' function within 'dynamic_module_utils.py'. This issue affects version 4.49.0 and can be exploited by using crafted input strings that cause excessive CPU consumption through catastrophic backtracking, disrupting remote code loading, exhausting resources in model serving, and potentially leading to supply chain attack vectors.

Impact

Exploitation of this vulnerability causes excessive CPU consumption, disrupting model serving and remote code loading, and potentially leading to supply chain attacks.

Reproduction

The vulnerability can be reproduced by using a version of the Hugging Face Transformers library prior to 4.51.0. The 'get_imports()' function in 'dynamic_module_utils.py' can be called with input that is crafted to exploit the regular expression pattern used to filter try/except blocks in Python code. This crafted input should be designed to cause catastrophic backtracking in the regular expression, leading to excessive CPU usage.

Remediation

Users can upgrade to Hugging Face Transformers version 4.51.0 or later to address this vulnerability.