What is the CVSS score of CVE-2025-3262?

CVE-2025-3262 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Transformers are affected by CVE-2025-3262?

CVE-2025-3262 presents notable security risk rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-3262?

Yes, a public proof-of-concept exploit is available for CVE-2025-3262. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-3262?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Transformers CVE-2025-3262

EUVD-2025-20217 HIGH

Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)

2025-07-07 security@huntr.dev

GHSA-489j-g2vx-39wf

Denial Of Service Transformers Red Hat

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Red Hat

5.3 MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 03:37 euvd

EUVD-2025-20217

Analysis Generated

Mar 16, 2026 - 03:37 vuln.today

Patch released

Mar 16, 2026 - 03:37 nvd

Patch available

PoC Detected

Aug 02, 2025 - 01:20 vuln.today

Public exploit code

CVE Published

Jul 07, 2025 - 10:15 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

76 pypi packages depend on transformers (69 direct, 7 indirect)

Ecosystem-wide dependent count for version 4.49.0.

DescriptionCVE.org

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the SETTING_RE variable within the transformers/commands/chat.py file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.

Analysis

Technical ContextAI

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Inefficient Regular Expression Complexity (ReDoS) (CWE-1333).

RemediationAI

A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Vendor StatusVendor

CVE-2025-3262 vulnerability details – vuln.today

Back

Transformers CVE-2025-3262

Severity by source

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

Analysis

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code