Plattform
python
Komponente
nvidia/megatron-lm
Behoben in
0.14.1
CVE-2025-23357 describes a code injection vulnerability discovered in NVIDIA Megatron-LM, a framework for large language model training. An attacker can exploit this flaw by crafting malicious data that leads to arbitrary code execution. This vulnerability impacts all versions of Megatron-LM prior to 0.14.0. A patch has been released in version 0.14.0.
Successful exploitation of CVE-2025-23357 allows an attacker to inject and execute arbitrary code within the Megatron-LM environment. This could lead to a complete compromise of the system running the framework, including unauthorized access to sensitive data used for model training. The attacker could potentially steal training data, modify model parameters, or even use the compromised system to launch further attacks. The blast radius extends to any data processed by Megatron-LM, and the potential for lateral movement depends on the system's configuration and network access.
CVE-2025-23357 was published on 2025-11-11. The vulnerability's severity is rated HIGH (CVSS 7.8). There are currently no publicly available proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Organizations and researchers utilizing NVIDIA Megatron-LM for large language model training are at risk. This includes those deploying Megatron-LM in cloud environments, on-premise servers, or within development pipelines. Specifically, those using older, unpatched versions of the framework are most vulnerable.
• python / supply-chain:
import os
import subprocess
def check_megatron_version():
try:
result = subprocess.check_output(['python', '-c', 'import megatron_lm; print(megatron_lm.__version__)'], stderr=subprocess.STDOUT)
version = result.decode('utf-8').strip()
if version and version.startswith('0.13'):
print(f"Vulnerability detected: Megatron-LM version {version} is vulnerable.")
else:
print(f"Megatron-LM version {version} is not vulnerable.")
except FileNotFoundError:
print("Megatron-LM not found.")
except subprocess.CalledProcessError as e:
print(f"Error checking version: {e}")
check_megatron_version()disclosure
Exploit-Status
EPSS
0.04% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-23357 is to upgrade to NVIDIA Megatron-LM version 0.14.0 or later, which includes the necessary fix. If upgrading is not immediately feasible, carefully review all input data provided to Megatron-LM, implementing strict validation and sanitization routines to prevent the injection of malicious code. Consider implementing a Web Application Firewall (WAF) to filter potentially malicious requests. After upgrading, confirm the vulnerability is resolved by attempting to reproduce the attack scenario with known malicious input; it should now be rejected or handled safely.
Actualice Megatron-LM a la versión 0.14.0 o posterior. Esto solucionará la vulnerabilidad de inyección de código. Asegúrese de obtener la actualización de una fuente oficial de NVIDIA.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-23357 is a code injection vulnerability affecting NVIDIA Megatron-LM versions before 0.14.0, allowing attackers to execute arbitrary code.
You are affected if you are using NVIDIA Megatron-LM versions prior to 0.14.0. Upgrade immediately to mitigate the risk.
Upgrade to NVIDIA Megatron-LM version 0.14.0 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the NVIDIA security bulletin for detailed information and updates: [https://nvidia.github.io/megatron-lm/security/advisories/](https://nvidia.github.io/megatron-lm/security/advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.