Hugging Face Transformers Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the Hugging Face Transformers library, specifically in the 'convert_tf_weight_name_to_pt_weight_name()' function. This function, which converts TensorFlow weight names to PyTorch format, is vulnerable to catastrophic backtracking due to a regex pattern that can be exploited with crafted input strings. The vulnerability affects versions of the Transformers library prior to 4.51.3 and has been fixed in version 4.53.0. Exploiting this vulnerability can lead to excessive CPU consumption, causing service disruptions and resource exhaustion, particularly in environments that handle model conversion between TensorFlow and PyTorch.

Impact

Exploitation of this vulnerability can cause significant CPU load, leading to service disruptions, especially in production environments. This could slow down or halt model conversion processes, disrupt CI/CD pipelines, and cause local development environments to become unresponsive. Additionally, if the vulnerability is exploited through a REST API that exposes model conversion functionality, it could impact multiple users in a shared environment.

Reproduction

The vulnerability can be reproduced by installing the Transformers library and using the 'convert_tf_weight_name_to_pt_weight_name()' function with maliciously crafted TensorFlow weight names that exploit the regex pattern. This can be done by creating payloads that include repeated '___' patterns, which cause the regex to backtrack and consume excessive CPU resources. The increasing execution time can be measured to demonstrate the vulnerability.

Remediation

Users can upgrade to Hugging Face Transformers version 4.53.0 or later, where this vulnerability has been fixed.