Inefficient Regular Expression Complexity

Summary

The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial-of-Service (ReDoS) in the "AdamWeightDecay" optimizer. The vulnerability arises from the "_do_use_weight_decay()" method, which processes user-controlled regular expressions in the "include_in_weight_decay" and "exclude_from_weight_decay" lists. Malicious regular expressions can cause catastrophic backtracking during the "re.search" call, leading to 100% CPU utilization and a Denial-of-Service(DoS). This issue can be exploited by attackers who can control the patterns in these lists, potentially causing the machine learning task to hang and rendering services unresponsive.