Deserialization Vulnerability in NVIDIA Merlin Transformers4Rec for Linux
CVE-2025-33213

8.8HIGH

Key Information:

Vendor: Nvidia
Status: Merlin Transformers4rec
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-33213?

The NVIDIA Merlin Transformers4Rec for Linux is affected by a vulnerability in its Trainer component that allows for a deserialization issue. An attacker could exploit this vulnerability to execute arbitrary code, cause denial of service, disclose sensitive information, or manipulate data within the system. This highlights the importance of maintaining updated software and implementing robust security measures to mitigate potential risks. Organizations using this product should assess their systems for exposure and apply recommended patches or mitigations provided by NVIDIA.

Affected Version(s)

Merlin Transformers4Rec Linux All versions that do not include commit 876f19e

References

https://nvd.nist.gov/vuln/detail/CVE-2025-33213

https://www.cve.org/CVERecord?id=CVE-2025-33213

https://nvidia.custhelp.com/app/answers/detail/a_id/5739

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Apr 15, 2025

JSON

Nvidia

What is CVE-2025-33213?

Affected Version(s)

References

CVSS V3.1

Timeline