Volerion logoVolerion
Volerion logoVolerion

Hugging Face Transformers Library Regular Expression Denial-of-Service Vulnerability in DonutProcessor

Vulnerability

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the DonutProcessor class's token2json() method. This issue affects versions 4.50.3 and earlier, with the vulnerability stemming from a regex pattern that can be manipulated to cause significant CPU strain through catastrophic backtracking. Such exploitation could disrupt services, exhaust resources, and potentially expose API vulnerabilities, particularly in document processing tasks using the Donut model.

Impact

Exploitation of this vulnerability leads to excessive CPU consumption, causing service disruptions and resource exhaustion. Additionally, it could expose vulnerabilities in the API service, impacting document processing tasks that utilize the Donut model.

Remediation

Users can upgrade to version 4.52.1 or later to address this vulnerability.

Added: Jul 11, 2025, 10:23 AM
Updated: Jul 11, 2025, 10:23 AM

Vulnerability Rating

Custom Algorithm
spread
6.6
impact
2.5
exploitability
5.3
remediation
7.7
relevance
0.3
threat
3.2
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.