CVE-2025-6051 is a Regular Expression Denial of Service (ReDoS) vulnerability identified in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects all versions up to 4.52.4 and was addressed in version 4.53.0. The root cause lies in inefficient regular expression handling of numeric strings, where crafted input containing long sequences of digits can trigger catastrophic backtracking in the regex engine. This leads to excessive CPU consumption and potential service disruption. The affected functionality is primarily related to text-to-speech and number normalization tasks, which are common in natural language processing (NLP) pipelines. An attacker can exploit this vulnerability by submitting specially crafted input strings to APIs or services that utilize the vulnerable method, causing resource exhaustion and denial of service without requiring authentication or user interaction. The CVSS score of 5.3 (medium severity) reflects the network vector, low attack complexity, no privileges or user interaction required, and an impact limited to availability (no confidentiality or integrity impact). No known exploits are reported in the wild yet, but the vulnerability poses a risk to any system relying on the affected versions of the Hugging Face Transformers library for processing numeric text data.

For European organizations, the impact of this vulnerability can be significant, especially for those deploying NLP services that utilize the Hugging Face Transformers library for text normalization or text-to-speech applications. Potential impacts include service outages or degraded performance due to CPU exhaustion, which can disrupt customer-facing applications, internal automation, or AI-driven analytics. This can lead to operational downtime, loss of productivity, and reputational damage. Since the vulnerability does not compromise data confidentiality or integrity, the primary concern is availability. Organizations offering AI-based services or APIs that process user input with the vulnerable library are at risk of denial of service attacks. This could affect sectors such as finance, healthcare, telecommunications, and public services, where NLP tools are increasingly integrated. Additionally, the vulnerability could be leveraged as part of a larger attack chain to cause distraction or resource depletion during targeted attacks.

European organizations should immediately upgrade any deployments of the Hugging Face Transformers library to version 4.53.0 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement input validation and sanitization to detect and reject unusually long numeric sequences before they reach the vulnerable `normalize_numbers()` method. Rate limiting and anomaly detection on API endpoints processing text normalization can help mitigate exploitation attempts. Monitoring CPU usage and setting resource limits on services using the library can prevent system-wide impact. Additionally, organizations should review their NLP pipelines to identify any indirect dependencies on the vulnerable library and ensure they are updated accordingly. Incorporating fuzz testing and regular expression complexity analysis into the development lifecycle can help detect similar issues proactively. Finally, maintain awareness of vendor advisories and community updates regarding this and related vulnerabilities.