The vulnerabilities, tracked as CVE-2025-23361 and CVE-2025-33178, both carry a CVSS score of 7.8 and affect all versions of the NeMo Framework before version 2.5.0 across all platforms.
The first vulnerability, CVE-2025-23361, exists in a framework script, where malicious input from an attacker may cause improper control over code generation.
The second flaw, CVE-2025-33178, resides in the Bert services component and enables code injection through malicious data.
Both vulnerabilities share the same attack vector and require local access with low privileges.
| CVE ID | Description | CVSS Score | CWE |
|---|---|---|---|
| CVE-2025-23361 | Improper control of code generation in framework script | 7.8 | CWE-94 |
| CVE-2025-33178 | Code injection in bert services component | 7.8 | CWE-94 |
Successful exploitation could result in code execution, privilege escalation, information disclosure, and data manipulation, posing significant risks to organizations using the framework.
The vulnerabilities were discovered and reported by security researchers from TencentAISec and NISL lab at Tsinghua University, highlighting the importance of collaborative security research.
All versions of the NVIDIA NeMo Framework before 2.5.0 are vulnerable, regardless of operating system or platform. Organizations using earlier software branch releases are also at risk and should upgrade immediately.
NVIDIA recommends that users clone or update to the NeMo Framework version 2.5.0 or later, available from the official NVIDIA GitHub repository and the PyPI package manager.
The company emphasizes that users on earlier branch releases should upgrade to the latest branch version.
Organizations should assess their specific configurations and apply the security update promptly to mitigate potential exploitation risks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post NVIDIA NeMo Framework Vulnerabilities Allows Code Injection and Privilege Escalation appeared first on Cyber Security News.
Shipping cranes stand above container ships loaded with shipping containers at the Port of Los…
The Nintendo Switch 2 Mario Kart World Bundle currently sells for $500 just about everywhere,…
From its gorgeous landscapes, gripping acting, and historically inspired combat animations, 1348 Ex Voto makes…
As part of a big Sonos Spring Sale event that started this week, Sonos is…
I have been on vacation or sick for most of the last two weeks. In…
The sixth book in the Harry Potter illustrated collection is releasing this October and the…
This website uses cookies.