Critical Vulnerability in NVIDIA Merlin Allows Remote Code Execution with Root Privileges

A critical vulnerability in NVIDIA’s Merlin Transformers4Rec library allows attackers to achieve remote code execution with root privileges.

Discovered by the Trend Micro Zero Day Initiative (ZDI) Threat Hunting Team, the flaw stems from unsafe deserialization in the model checkpoint loading functionality.

Tracked as CVE-2025-23298, this vulnerability underscores persistent security challenges in machine learning frameworks that rely on Python’s pickle serialization.

Discovery of Unsafe Deserialization

During a comprehensive audit of ML/AI frameworks for supply chain risks, ZDI researchers honed in on how models are persisted and loaded.

They identified that the load_model_trainer_states_from_checkpoint function in Transformers4Rec uses PyTorch torch.load() without sandboxing or class restrictions.

Because torch.load() Leveraging Python’s pickle protocol, it can execute arbitrary code during deserialization.

ZDI confirmed that loading a crafted checkpoint file could trigger root-level commands immediately upon restoring model state.

This unsafe deserialization pathway exposes systems to full compromise in environments where ML services run with elevated privileges.

Exploit Technique and Impact

To demonstrate the risk, the research team constructed a malicious checkpoint object that reduces. The method invokes system commands.

When torch.save() writing this object into a checkpoint file and torch.load() Later, when it is read, the attacker’s payload executes before any model weights are processed.

In production settings, this leads to complete system takeover, enabling threat actors to exfiltrate sensitive data, install persistent backdoors, and pivot to other network assets.

The exploit can be weaponized for espionage, ransomware deployment, or destruction of critical infrastructure.

NVIDIA addressed the issue in Transformers4Rec commit b7eaea5 (PR #802), replacing direct pickle calls with a custom loader that restricts deserialization to approved classes.

The patch introduces a secure load() function in serialization.py to validate object types before restoration.

Users are urged to update to the patched version immediately.

To prevent similar flaws, developers should avoid processing untrusted pickle data altogether. Instead, they can:

• Use PyTorch’s weights_only=True option to limit deserialization scope.
• Adopt safer model serialization formats such as safetensors or ONNX.
• Enforce rigorous checkpoint provenance checks and cryptographic signatures.
• Sandbox model loading processes to minimize privilege exposure.

This vulnerability highlights the urgent need for secure serialization standards in ML/AI ecosystems. Despite longstanding community warnings about the dangers of pickle-based workflows, this attack vector remains prevalent.

CVE Identifier	Affected Product	Impact	CVSS 3.1 Score
CVE-2025-23298	NVIDIA Merlin Transformers4Rec	Remote Code Execution as root	9.8

Organizations must adopt robust threat modeling for their ML supply chains and embrace safer alternatives to prevent future outbreaks of remote code execution in AI frameworks.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post Critical Vulnerability in NVIDIA Merlin Allows Remote Code Execution with Root Privileges appeared first on Cyber Security News.