CVE-2025-3933
MEDIUMDescription
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
How to fix
Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Exploit Intelligence
Low risk: more likely to be exploited than 35% of all known CVEs.
References
Related Vulnerabilities
Other CWE-1333 vulnerabilities, ordered by exploit likelihood. View all
| CVE | Severity | CVSS | EPSS | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2023-3364 | High | 7.5 | 45% | - | Fix |
| CVE-2024-8124 | High | 7.5 | 40% | - | Fix |
| CVE-2024-25126 | Medium | 5.3 | 35% | - | Fix |
| CVE-2024-2651 | Medium | 6.5 | 33% | - | Fix |
| CVE-2021-32837 | High | 7.5 | 29% | - | Fix |
| CVE-2024-2829 | High | 7.5 | 26% | - | Fix |
Embed a live status badge for CVE-2025-3933
Markdown
[](https://tridentstack.com/cve/CVE-2025-3933)HTML
<a href="https://tridentstack.com/cve/CVE-2025-3933"><img src="https://tridentstack.com/cve/badge/CVE-2025-3933.svg" alt="CVE-2025-3933"></a>Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-08-07.