Both vulnerabilities could allow local attackers with low privileges to execute arbitrary code, escalate privileges, and compromise system integrity.
The two vulnerabilities, CVE-2025-23361 and CVE-2025-33178, stem from improper handling of code-generation mechanisms in the NeMo Framework.
These flaws pose a significant security risk for organizations that deploy NVIDIA’s natural language processing and machine learning toolkit across their infrastructure.
CVE-2025-23361 involves a script in the NeMo Framework that fails to properly validate and control code generation when processing user-supplied input.
An attacker with local access could craft malicious input to manipulate the code-generation process, leading to arbitrary code execution.
The vulnerability requires low privileges to exploit, making it accessible to standard user accounts on affected systems.
CVE-2025-33178 affects the BERT services component and enables code injection through malicious data.
The BERT (Bidirectional Encoder Representations from Transformers) service, commonly used for natural language understanding tasks, does not adequately sanitize input before processing, allowing attackers to inject and execute arbitrary code.
Both vulnerabilities carry identical CVSS v3.1 base scores of 7.8 (High severity) and share the same attack vector profile: local access with low privilege requirements.
The attack complexity is low, meaning exploitation requires minimal effort once initial access is obtained.
Successful exploitation could result in complete system compromise through code execution, privilege escalation to higher-level accounts, unauthorized information disclosure, and data tampering.
NVIDIA recommends updating the NeMo Framework to version 2.5.0 or later immediately. Users can obtain the patched version through two channels: the official NVIDIA GitHub repository at https://github.com/NVIDIA/NeMo/releases and the Python Package Index (PyPI) at https://pypi.org/project/nemo-toolkit/.
Organizations should prioritize this update given the direct path to code execution and privilege escalation.
The vulnerabilities affect all platforms and versions of the NeMo Framework before 2.5.0, creating a broad attack surface across development, testing, and production environments.
TencentAISec reported CVE-2025-23361, while researchers Guanheng Liu and Pinji Chen from the NISL lab at Tsinghua University discovered CVE-2025-33178.
| CVE ID | Component | Vulnerability Type | CVSS Score | Severity | CWE | Primary Impact | Attack Vector | Privileges Required |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-23361 | NeMo Framework Script | Improper Code Generation Control | 7.8 | High | CWE-94 | Code Execution, Privilege Escalation, Data Tampering, Information Disclosure | Local (AV:L) | Low (PR:L) |
| CVE-2025-33178 | BERT Services Component | Code Injection | 7.8 | High | CWE-94 | Code Execution, Privilege Escalation, Data Tampering, Information Disclosure | Local (AV:L) | Low (PR:L) |
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post NVIDIA NeMo Framework Flaw Enables Code Injection and Privilege Escalation appeared first on Cyber Security News.
Emily Blunt, Cillian Murphy, Millicent Simmonds, and Noah Jupe are officially reprising their roles for…
Whether you’re after a new Apple Watch Ultra or want to add a few new…
Sony's upgraded PlayStation Spectral Super Resolution (PSSR) technology is rolling out to several titles on…
There's no better time to dive into the world of immersive VR gaming. AliExpress is…
Krafton has been ordered to reinstate the former boss of Subnautica 2 studio Unknown Worlds…
Tje GeForce RTX 5080 graphics card will allow you to run all of the latest…
This website uses cookies.