transformer fix (#5127)

Atharva-Rajan-Kale · web-flow · commit 65ec1d228732 · 2025-08-05T14:47:41.000-07:00
* transformer fix

* revert toml

* update reason
diff --git a/autogluon/inference/docker/1.4/py3/Dockerfile.cpu.os_scan_allowlist.json b/autogluon/inference/docker/1.4/py3/Dockerfile.cpu.os_scan_allowlist.json
@@ -382,6 +382,35 @@
             "status": "ACTIVE",
             "title": "CVE-2025-2099 - transformers",
             "reason_to_ignore": "Security vulnerability allowlisted for AutoGluon DLC"
+        },
+        {
+            "description": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.", 
+            "vulnerability_id": "CVE-2025-3262", 
+            "name": "CVE-2025-3262", 
+            "package_name": "transformers", 
+            "package_details": {
+                "file_path": "/opt/conda/lib/python3.11/site-packages/transformers-4.49.0.dist-info/METADATA", 
+                "name": "transformers", 
+                "package_manager": "PYTHON", 
+                "version": "4.49.0", 
+                "release": null
+            }, 
+            "remediation": {
+                "recommendation": {
+                    "text": "None Provided"
+                }
+            }, 
+            "cvss_v3_score": 7.5, 
+            "cvss_v30_score": 0.0, 
+            "cvss_v31_score": 7.5, 
+            "cvss_v2_score": 0.0, 
+            "cvss_v3_severity": "HIGH", 
+            "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3262", 
+            "source": "NVD", 
+            "severity": "HIGH", 
+            "status": "ACTIVE", 
+            "title": "CVE-2025-3262 - transformers", 
+            "reason_to_ignore": "No fix provided"
         }
     ],
     "lightgbm": [
diff --git a/autogluon/inference/docker/1.4/py3/cu124/Dockerfile.gpu.os_scan_allowlist.json b/autogluon/inference/docker/1.4/py3/cu124/Dockerfile.gpu.os_scan_allowlist.json
@@ -382,6 +382,35 @@
             "status": "ACTIVE",
             "title": "CVE-2025-2099 - transformers",
             "reason_to_ignore": "Security vulnerability allowlisted for AutoGluon DLC"
+        },
+        {
+            "description": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.", 
+            "vulnerability_id": "CVE-2025-3262", 
+            "name": "CVE-2025-3262", 
+            "package_name": "transformers", 
+            "package_details": {
+                "file_path": "/opt/conda/lib/python3.11/site-packages/transformers-4.49.0.dist-info/METADATA", 
+                "name": "transformers", 
+                "package_manager": "PYTHON", 
+                "version": "4.49.0", 
+                "release": null
+            }, 
+            "remediation": {
+                "recommendation": {
+                    "text": "None Provided"
+                }
+            }, 
+            "cvss_v3_score": 7.5, 
+            "cvss_v30_score": 0.0, 
+            "cvss_v31_score": 7.5, 
+            "cvss_v2_score": 0.0, 
+            "cvss_v3_severity": "HIGH", 
+            "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3262", 
+            "source": "NVD", 
+            "severity": "HIGH", 
+            "status": "ACTIVE", 
+            "title": "CVE-2025-3262 - transformers", 
+            "reason_to_ignore": "No fix provided"
         }
     ],
     "lightgbm": [
diff --git a/autogluon/training/docker/1.4/py3/Dockerfile.cpu.os_scan_allowlist.json b/autogluon/training/docker/1.4/py3/Dockerfile.cpu.os_scan_allowlist.json
@@ -382,6 +382,35 @@
             "status": "ACTIVE",
             "title": "CVE-2025-2099 - transformers",
             "reason_to_ignore": "Security vulnerability allowlisted for AutoGluon DLC"
+        },
+        {
+            "description": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.", 
+            "vulnerability_id": "CVE-2025-3262", 
+            "name": "CVE-2025-3262", 
+            "package_name": "transformers", 
+            "package_details": {
+                "file_path": "/opt/conda/lib/python3.11/site-packages/transformers-4.49.0.dist-info/METADATA", 
+                "name": "transformers", 
+                "package_manager": "PYTHON", 
+                "version": "4.49.0", 
+                "release": null
+            }, 
+            "remediation": {
+                "recommendation": {
+                    "text": "None Provided"
+                }
+            }, 
+            "cvss_v3_score": 7.5, 
+            "cvss_v30_score": 0.0, 
+            "cvss_v31_score": 7.5, 
+            "cvss_v2_score": 0.0, 
+            "cvss_v3_severity": "HIGH", 
+            "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3262", 
+            "source": "NVD", 
+            "severity": "HIGH", 
+            "status": "ACTIVE", 
+            "title": "CVE-2025-3262 - transformers", 
+            "reason_to_ignore": "No fix provided"
         }
     ],
     "lightgbm": [
diff --git a/autogluon/training/docker/1.4/py3/cu124/Dockerfile.gpu.os_scan_allowlist.json b/autogluon/training/docker/1.4/py3/cu124/Dockerfile.gpu.os_scan_allowlist.json
@@ -382,6 +382,35 @@
             "status": "ACTIVE",
             "title": "CVE-2025-2099 - transformers",
             "reason_to_ignore": "Security vulnerability allowlisted for AutoGluon DLC"
+        },
+        {
+            "description": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0.", 
+            "vulnerability_id": "CVE-2025-3262", 
+            "name": "CVE-2025-3262", 
+            "package_name": "transformers", 
+            "package_details": {
+                "file_path": "/opt/conda/lib/python3.11/site-packages/transformers-4.49.0.dist-info/METADATA", 
+                "name": "transformers", 
+                "package_manager": "PYTHON", 
+                "version": "4.49.0", 
+                "release": null
+            }, 
+            "remediation": {
+                "recommendation": {
+                    "text": "None Provided"
+                }
+            }, 
+            "cvss_v3_score": 7.5, 
+            "cvss_v30_score": 0.0, 
+            "cvss_v31_score": 7.5, 
+            "cvss_v2_score": 0.0, 
+            "cvss_v3_severity": "HIGH", 
+            "source_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3262", 
+            "source": "NVD", 
+            "severity": "HIGH", 
+            "status": "ACTIVE", 
+            "title": "CVE-2025-3262 - transformers", 
+            "reason_to_ignore": "No fix provided"
         }
     ],
     "lightgbm": [
