NVIDIA researchers have identified two vulnerabilities in Merlin components that leverage insecure deserialization.
Both CVE-2025-33214 and CVE-2025-33213 carry CVSS base scores of 8.8, indicating high-severity threats that require immediate attention from system administrators.
| CVE ID | Description | Base Score | CWE | Vector |
|---|---|---|---|---|
| CVE-2025-33214 | NVIDIA NVTabular for Linux contains a vulnerability in the Workflow component, where a user could cause a deserialization issue. | 8.8 | CWE-502 | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CVE-2025-33213 | NVIDIA Merlin Transformers4Rec for Linux contains a vulnerability in the Trainer component where a user may cause a deserialization issue. | 8.8 | CWE-502 | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
The vulnerabilities affect NVTabular’s Workflow component and Transformers4Rec’s Trainer component.
Successful exploitation enables attackers to execute malicious code, trigger denial-of-service conditions, disclose sensitive information, and tamper with critical data.
The attack vector requires low-complexity network access and user interaction, making these vulnerabilities particularly concerning for enterprise environments.
All versions of NVIDIA NVTabular and Merlin Transformers4Rec for Linux that lack specific security commits are vulnerable to these attacks.
Organizations running these frameworks must immediately update their installations to protect against potential exploits. NVIDIA has released security patches through GitHub commits.
For NVTabular, users must update to commit 5dd11f4 or later from the NVIDIA-Merlin/NVTabular repository. Transformers4Rec users need to apply commit 876f19e or later from the NVIDIA-Merlin/Transformers4Rec repository.
NVIDIA acknowledged the security researcher for responsibly disclosing both vulnerabilities through coordinated disclosure.
The company released the initial security bulletin on December 9, 2025, providing remediation guidance to affected organizations.
System administrators should prioritize updating NVIDIA Merlin installations by cloning or updating the software to include the security commits.
Organizations should visit NVIDIA Product Security pages for additional vulnerability information and subscribe to security bulletin notifications for future updates.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post NVIDIA Merlin Vulnerabilities Let Attackers Execute Malicious Code and Trigger DoS Condition appeared first on Cyber Security News.
U.S. House Speaker Mike Johnson, R-La., speaks to reporters at the U.S. Capitol on March…
A package of child safety bills is headed to the House floor following an hours-long…
US Defense Secretary Pete Hegseth speaks during a press conference on US military action in…
The National Videogame Museum (NVM) has announced the acquisition of a wildly rare and strange…
The National Videogame Museum (NVM) has announced the acquisition of a wildly rare and strange…
Sometimes, you go in blind on a new game. That’s how it was for me…
This website uses cookies.