CVE-2025-6921 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the huggingface/transformers library versions prior to 4.53.0. The issue is a Regular Expression Denial of Service (ReDoS) vulnerability located in the AdamWeightDecay optimizer component, specifically within the _do_use_weight_decay method. This method processes user-controlled regular expressions provided in the include_in_weight_decay and exclude_from_weight_decay lists. An attacker who can supply maliciously crafted regular expressions can trigger catastrophic backtracking during the execution of Python's re.search function. This results in excessive CPU consumption, potentially maxing out processor usage and causing the machine learning task or service relying on this library to hang or become unresponsive. The vulnerability does not impact confidentiality or integrity but affects availability by causing denial of service. Exploitation does not require authentication or user interaction, and the attack can be launched remotely if the attacker can influence the regular expression inputs. The CVSS v3.0 score is 5.3 (medium severity), reflecting the network attack vector, low complexity, no privileges required, no user interaction, and impact limited to availability. No known exploits are currently reported in the wild, and no official patches are linked yet, though upgrading to version 4.53.0 or later is implied to remediate the issue.

For European organizations, the impact of this vulnerability can be significant in environments where huggingface/transformers is used for machine learning workflows, especially those involving the AdamWeightDecay optimizer with configurable weight decay patterns. Organizations in sectors such as finance, healthcare, research, and technology that rely on AI/ML models for critical decision-making or service delivery could experience service disruptions or degraded performance. The denial of service caused by CPU exhaustion can lead to downtime, delayed processing, and potential cascading effects on dependent systems or services. Since the vulnerability can be triggered remotely without authentication, exposed APIs or services that accept user input influencing these regular expressions are at risk. This could affect cloud-based ML platforms, AI-driven applications, or internal ML pipelines. While the vulnerability does not lead to data breaches or integrity compromise, the availability impact can affect business continuity and operational efficiency.

European organizations should take the following specific mitigation steps: 1) Immediately audit usage of the huggingface/transformers library, focusing on versions prior to 4.53.0 and the use of AdamWeightDecay optimizer with user-configurable include_in_weight_decay or exclude_from_weight_decay parameters. 2) Restrict or sanitize inputs that influence these regular expression lists to prevent malicious patterns from being processed. Implement strict validation or whitelist acceptable regex patterns. 3) Upgrade the huggingface/transformers library to version 4.53.0 or later once available, as this version addresses the vulnerability. 4) Monitor CPU utilization and application logs for signs of excessive resource consumption or hanging processes related to ML tasks. 5) Isolate ML workloads in controlled environments with resource limits (e.g., CPU quotas, container limits) to mitigate impact if exploitation occurs. 6) For exposed services accepting user input that could influence these regex parameters, implement network-level protections such as WAF rules to detect and block suspicious payloads. 7) Educate developers and data scientists about the risks of processing untrusted regular expressions and encourage secure coding practices around regex usage.