CVE-2025-6638 | huggingface transformers up to 4.52.x MarianTokenizer remove_language_code redos

A vulnerability identified as problematic has been detected in huggingface transformers up to 4.52.x. The impacted element is the function remove_language_code of the component MarianTokenizer. The manipulation leads to inefficient regular expression complexity.

This vulnerability is traded as CVE-2025-6638. It is possible to initiate the attack remotely. There is no exploit available.

You should upgrade the affected component.VulDB Recent EntriesRead More