Plattform
nvidia
Komponente
transformers4rec
Behoben in
7.0.1
CVE-2025-23298 describes a code injection vulnerability discovered in NVIDIA Merlin Transformers4Rec, a platform for building and deploying recommendation models. Successful exploitation could allow an attacker to execute arbitrary code, potentially leading to privilege escalation, information disclosure, and data manipulation. This vulnerability affects versions of Transformers4Rec prior to the inclusion of code commit b7eaea5; upgrading to a version containing this commit resolves the issue.
The code injection vulnerability in NVIDIA Merlin Transformers4Rec presents a significant risk. An attacker could inject malicious code into the system, potentially gaining control over the affected environment. This could involve executing arbitrary commands with the privileges of the Merlin Transformers4Rec process, leading to data exfiltration, modification of recommendation models, or even complete system compromise. The impact is amplified if Merlin Transformers4Rec is deployed in a production environment handling sensitive user data or critical business processes. The ability to tamper with recommendation models could also lead to manipulation of user behavior and financial losses.
CVE-2025-23298 was publicly disclosed on 2025-08-13. The EPSS score is pending evaluation. Currently, there are no publicly available proof-of-concept exploits. Given the nature of code injection vulnerabilities, it is reasonable to assume that attackers will actively seek to develop and deploy exploits once they become aware of the vulnerability.
Organizations deploying NVIDIA Merlin Transformers4Rec for recommendation systems, particularly those handling sensitive user data or operating in environments with limited security controls, are at risk. Environments utilizing older, unpatched versions of Transformers4Rec are especially vulnerable.
• python / server:
import subprocess
result = subprocess.run(['pip', 'show', 'transformers4rec'], capture_output=True, text=True)
if 'Version' in result.stdout:
version = result.stdout.split('Version: ')[1].split('\n')[0]
if version.split('.')[0] == 'x.x' and int(version.split('.')[1]) < 1:
print('Potential vulnerability: Transformers4Rec version is vulnerable.')
else:
print('Transformers4Rec not found.')disclosure
Exploit-Status
EPSS
0.03% (7% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-23298 is to upgrade to a version of NVIDIA Merlin Transformers4Rec that includes code commit b7eaea5. If an immediate upgrade is not feasible due to compatibility concerns or deployment constraints, consider isolating affected instances and limiting network access to minimize the attack surface. While a direct WAF rule is unlikely to be effective against code injection, carefully reviewing and restricting the inputs to the Python dependency could offer a limited layer of defense. Monitor system logs for unusual activity or unexpected code execution patterns.
Actualice NVIDIA Merlin Transformers4Rec a una versión que incluya el commit b7eaea5 o posterior. Esto solucionará la vulnerabilidad de inyección de código. Consulte las notas de la versión y las instrucciones de actualización proporcionadas por NVIDIA.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-23298 is a code injection vulnerability affecting NVIDIA Merlin Transformers4Rec versions before commit b7eaea5. It allows attackers to potentially execute code and compromise the system.
You are affected if you are using NVIDIA Merlin Transformers4Rec versions prior to the one including commit b7eaea5. Check your version and upgrade if necessary.
Upgrade to a version of NVIDIA Merlin Transformers4Rec that includes code commit b7eaea5. This resolves the code injection vulnerability.
Currently, there are no publicly known active exploits, but the vulnerability is considered high severity and exploitation is possible.
Refer to the NVIDIA security bulletin for details and updates regarding CVE-2025-23298: [https://www.nvidia.com/en-us/security/cve/CVE-2025-23298](https://www.nvidia.com/en-us/security/cve/CVE-2025-23298)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.