CVE-2025-6051 is a Regular Expression Denial of Service (ReDoS) vulnerability identified in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects all versions up to 4.52.4 and was addressed in version 4.53.0. The root cause lies in the inefficient handling of numeric strings by the regular expressions used in this method. Crafted input strings containing long sequences of digits can trigger excessive backtracking in the regex engine, leading to disproportionate CPU consumption and potential service degradation or denial. Since the Transformers library is widely used for natural language processing tasks, including text-to-speech and number normalization, this vulnerability can be exploited to cause resource exhaustion in applications relying on these functionalities. The vulnerability does not impact confidentiality or integrity but affects availability by enabling attackers to disrupt services through computational resource exhaustion. The CVSS v3.0 score is 5.3 (medium severity), reflecting that the attack can be launched remotely without authentication or user interaction, but only causes availability impact. No known exploits are reported in the wild yet, but the widespread use of the library in AI and NLP pipelines makes this a relevant concern for organizations using affected versions.

For European organizations, the impact of CVE-2025-6051 can be significant in environments where Hugging Face Transformers are integrated into production systems for text normalization, speech synthesis, or other NLP services. Service disruption due to CPU exhaustion can degrade user experience, cause downtime, or increase operational costs due to resource overuse. Organizations offering AI-driven customer support, automated transcription, or real-time language processing services are particularly at risk. Additionally, API endpoints exposed to untrusted input that utilize the vulnerable method may become vectors for denial-of-service attacks, potentially affecting service availability and reliability. While no direct data breach or integrity compromise is involved, the availability impact can indirectly affect business continuity and reputation. Given the growing adoption of AI technologies in Europe, especially in sectors like finance, healthcare, and telecommunications, this vulnerability could disrupt critical services if unpatched.

European organizations should prioritize upgrading the Hugging Face Transformers library to version 4.53.0 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, implement input validation and sanitization to restrict or limit the length and format of numeric strings processed by the `normalize_numbers()` method to prevent triggering the ReDoS condition. Rate limiting and throttling API requests that involve text normalization can reduce the risk of resource exhaustion. Monitoring CPU usage and setting alerts for abnormal spikes in services using the Transformers library can help detect exploitation attempts early. Additionally, consider isolating NLP processing workloads in containerized or sandboxed environments to limit the impact of potential DoS attacks. Security teams should also review their dependency management and patching processes to ensure timely updates of AI/ML libraries.