Platform
nvidia
Component
nemo-framework
Fixed in
2.4.1
CVE-2025-23313 describes a code injection vulnerability discovered in the NVIDIA NeMo Framework. This flaw allows an attacker to inject malicious data that can lead to code execution within the NLP component. Versions of the framework prior to 2.4.0 are affected, and NVIDIA recommends upgrading to the patched version to mitigate the risk.
The impact of this vulnerability is significant. Successful exploitation could allow an attacker to execute arbitrary code on the system running the NVIDIA NeMo Framework. This could lead to a complete compromise of the system, including privilege escalation, allowing the attacker to gain administrative access. Furthermore, the attacker could potentially steal sensitive data or tamper with existing data, leading to data breaches and operational disruptions. The NLP component's role in processing natural language data makes it a prime target for attackers seeking to inject malicious code and manipulate the framework's behavior.
CVE-2025-23313 was publicly disclosed on 2025-08-26. The vulnerability's impact, involving code execution, warrants careful attention. As of this writing, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Monitor CISA and NVIDIA advisories for updates and potential exploitation campaigns.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-23313 is to upgrade to NVIDIA NeMo Framework version 2.4.0 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization techniques within your NLP pipelines to prevent the injection of malicious data. Review and restrict access to the NLP component, limiting who can provide input data. Monitor system logs for unusual activity or errors related to the NLP component, which could indicate an attempted exploit. After upgrading, confirm the fix by attempting to reproduce the vulnerability with known malicious input and verifying that it is no longer exploitable.
Update NVIDIA NeMo Framework to version 2.4.0 or later. This version contains the fix for the code injection vulnerability. See NVIDIA release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-23313 is a code injection vulnerability affecting NVIDIA NeMo Framework versions prior to 2.4.0. It allows malicious data to trigger code execution, potentially leading to system compromise.
You are affected if you are using NVIDIA NeMo Framework versions prior to 2.4.0. Check your installed version and upgrade if necessary.
Upgrade to NVIDIA NeMo Framework version 2.4.0 or later. Implement input validation and sanitization as an interim measure.
As of the current disclosure date, there are no publicly known active exploitation campaigns, but the vulnerability's severity warrants caution.
Refer to the NVIDIA security bulletin for CVE-2025-23313 on the NVIDIA website (https://www.nvidia.com/en-us/security/).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.