Discovered by the Trend Micro Zero Day Initiative (ZDI) Threat Hunting Team, the flaw stems from unsafe deserialization in the model checkpoint loading functionality.
Tracked as CVE-2025-23298, this vulnerability underscores persistent security challenges in machine learning frameworks that rely on Python’s pickle serialization.
During a comprehensive audit of ML/AI frameworks for supply chain risks, ZDI researchers honed in on how models are persisted and loaded.
They identified that the load_model_trainer_states_from_checkpoint function in Transformers4Rec uses PyTorch torch.load() without sandboxing or class restrictions.
Because torch.load() Leveraging Python’s pickle protocol, it can execute arbitrary code during deserialization.
ZDI confirmed that loading a crafted checkpoint file could trigger root-level commands immediately upon restoring model state.
This unsafe deserialization pathway exposes systems to full compromise in environments where ML services run with elevated privileges.
To demonstrate the risk, the research team constructed a malicious checkpoint object that reduces. The method invokes system commands.
When torch.save() writing this object into a checkpoint file and torch.load() Later, when it is read, the attacker’s payload executes before any model weights are processed.
In production settings, this leads to complete system takeover, enabling threat actors to exfiltrate sensitive data, install persistent backdoors, and pivot to other network assets.
The exploit can be weaponized for espionage, ransomware deployment, or destruction of critical infrastructure.
NVIDIA addressed the issue in Transformers4Rec commit b7eaea5 (PR #802), replacing direct pickle calls with a custom loader that restricts deserialization to approved classes.
The patch introduces a secure load() function in serialization.py to validate object types before restoration.
Users are urged to update to the patched version immediately.
To prevent similar flaws, developers should avoid processing untrusted pickle data altogether. Instead, they can:
weights_only=True option to limit deserialization scope.This vulnerability highlights the urgent need for secure serialization standards in ML/AI ecosystems. Despite longstanding community warnings about the dangers of pickle-based workflows, this attack vector remains prevalent.
| CVE Identifier | Affected Product | Impact | CVSS 3.1 Score |
|---|---|---|---|
| CVE-2025-23298 | NVIDIA Merlin Transformers4Rec | Remote Code Execution as root | 9.8 |
Organizations must adopt robust threat modeling for their ML supply chains and embrace safer alternatives to prevent future outbreaks of remote code execution in AI frameworks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
The post Critical Vulnerability in NVIDIA Merlin Allows Remote Code Execution with Root Privileges appeared first on Cyber Security News.
Retired Concord Circuit Court Judge Gerard Boyle has been nominated to be the next settlement…
Salisbury residents will be voting on a number of issues and candidates on March 10,…
Christopher Ellms Jr. received a 4-1 vote from the executive council on Wednesday to become…
Merrimack Valley voters will cast their ballots on March 5 in four School Board races,…
As libertarians affiliated with the Free State Project gather at an annual conference in Concord…
The Weare School District covers Center Wood Elementary School and Weare Middle School, which together…
This website uses cookies.