Plattform
nvidia
Komponente
nvidia/nemo
Behoben in
24.12.1
CVE-2025-23360 describes a Path Traversal vulnerability discovered in the NVIDIA NeMo Framework. This flaw allows an attacker to potentially write arbitrary files, leading to code execution and data manipulation. The vulnerability impacts all versions of the framework prior to 24.12, and a patch has been released to address the issue.
The core of this vulnerability lies in the framework's handling of file paths. An attacker can craft malicious input that bypasses intended security checks, allowing them to specify a path outside the intended directory. This could enable them to overwrite critical configuration files, inject malicious code into the system, or exfiltrate sensitive data. The potential for code execution significantly elevates the risk, as it could grant an attacker complete control over the affected system. The impact is amplified if the NeMo Framework is deployed in a production environment handling sensitive data or integrated with other critical systems, potentially leading to widespread data breaches and system compromise.
This vulnerability was publicly disclosed on March 11, 2025. There is currently no indication of active exploitation campaigns targeting CVE-2025-23360, but the availability of a Path Traversal vulnerability increases the risk of future exploitation. The vulnerability's severity (CVSS 7.1 - HIGH) indicates a significant potential for exploitation if left unaddressed. No KEV listing is currently available.
Organizations utilizing the NVIDIA NeMo Framework for natural language processing tasks, particularly those involved in model training or deployment, are at risk. This includes research institutions, AI development companies, and any entity relying on NeMo for its NLP pipelines. Environments with less stringent security controls or those running older, unpatched versions of the framework are particularly vulnerable.
• python / framework: Inspect NeMo Framework code for file handling routines that construct paths from user-supplied input. Look for missing or inadequate validation.
import os
# Vulnerable code example
filepath = os.path.join(base_dir, user_input)
# Safe code example
filepath = os.path.join(base_dir, os.path.normpath(user_input))• generic web: Monitor web server access logs for unusual file access patterns, particularly attempts to access files outside of the expected directory structure. • generic web: Check for unexpected files appearing in sensitive directories within the NeMo Framework installation.
disclosure
Exploit-Status
EPSS
0.16% (37% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-23360 is to immediately upgrade to NVIDIA NeMo Framework version 24.12 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider implementing stricter input validation on file paths within the framework. Implement robust access controls to limit the permissions of the NeMo Framework user account, preventing it from writing to sensitive system directories. Monitor file system activity for unexpected file modifications, particularly in critical directories. While a WAF cannot directly prevent this vulnerability, it can be configured to detect and block suspicious file path patterns in incoming requests.
Actualice NVIDIA NeMo Framework a la versión 24.12 o posterior. Esto corregirá la vulnerabilidad de path traversal y evitará la posible ejecución de código y manipulación de datos. Descargue la versión más reciente desde el sitio web oficial de NVIDIA o a través del gestor de paquetes correspondiente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-23360 is a Path Traversal vulnerability in NVIDIA NeMo Framework allowing attackers to write arbitrary files, potentially leading to code execution and data tampering.
You are affected if you are using NVIDIA NeMo Framework versions prior to 24.12. All versions before 24.12 are vulnerable.
Upgrade to NVIDIA NeMo Framework version 24.12 or later. Implement stricter input validation as a temporary workaround if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation of CVE-2025-23360.
Refer to the NVIDIA security bulletin for CVE-2025-23360 on the NVIDIA website (https://www.nvidia.com/en-us/security/).
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.