Code Injection Vulnerability in NVIDIA Merlin Transformers4Rec
CVE-2025-23298

7.8HIGH

Key Information:

Vendor: Nvidia
Status: Nvidia Merlin Transformers4rec
Vendor: CVE Published:; 13 August 2025

What is CVE-2025-23298?

NVIDIA Merlin Transformers4Rec is susceptible to a code injection vulnerability stemming from a flaw in a python dependency. This vulnerability enables an attacker to execute arbitrary code, which could lead to unauthorized privilege escalation, sensitive information disclosure, and potential data manipulation. Users of Merlin Transformers4Rec are encouraged to apply security patches promptly to mitigate associated risks.

Affected Version(s)

NVIDIA Merlin Transformers4Rec All All versions that do not include code commit b7eaea5

References

https://nvd.nist.gov/vuln/detail/CVE-2025-23298

https://www.cve.org/CVERecord?id=CVE-2025-23298

https://nvidia.custhelp.com/app/answers/detail/a_id/5683

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 13, 2025
Vulnerability Reserved
Jan 14, 2025

Nvidia

What is CVE-2025-23298?

Affected Version(s)

References

CVSS V3.1

Timeline