Code Injection Vulnerability in NVIDIA Merlin Transformers4Rec
CVE-2025-23298
What is CVE-2025-23298?
CVE-2025-23298 is a critical code injection vulnerability identified in NVIDIA's Merlin Transformers4Rec, which is a framework designed for building recommender systems using machine learning. This vulnerability is associated with a flaw in a specific Python dependency, which could allow an attacker to inject malicious code. If exploited, this flaw has serious implications, including unauthorized code execution, privilege escalation, potential information disclosure, and data tampering. Organizations relying on this software may face significant operational disruptions and security risks, making it essential to address this vulnerability.
Potential impact of CVE-2025-23298
-
Unauthorized Code Execution: Attackers could exploit this vulnerability to execute arbitrary code on vulnerable systems, potentially leading to full system compromise and unauthorized actions.
-
Privilege Escalation: The vulnerability could permit attackers to gain elevated privileges within the affected system, allowing them to perform actions that would typically be restricted to higher-level users.
-
Information Disclosure and Data Tampering: Successful exploitation may expose sensitive information or allow attackers to modify data, undermining the integrity of the systems and leading to significant data breaches.
Affected Version(s)
NVIDIA Merlin Transformers4Rec All All versions that do not include code commit b7eaea5