Platform
python
Component
nvidia/megatron-lm
Fixed in
0.14.1
CVE-2025-23357 describes a code injection vulnerability discovered in NVIDIA Megatron-LM, a framework for large language model training. An attacker can exploit this flaw by crafting malicious data that leads to arbitrary code execution. This vulnerability impacts all versions of Megatron-LM prior to 0.14.0. A patch has been released in version 0.14.0.
Successful exploitation of CVE-2025-23357 allows an attacker to inject and execute arbitrary code within the Megatron-LM environment. This could lead to a complete compromise of the system running the framework, including unauthorized access to sensitive data used for model training. The attacker could potentially steal training data, modify model parameters, or even use the compromised system to launch further attacks. The blast radius extends to any data processed by Megatron-LM, and the potential for lateral movement depends on the system's configuration and network access.
CVE-2025-23357 was published on 2025-11-11. The vulnerability's severity is rated HIGH (CVSS 7.8). There are currently no publicly available proof-of-concept exploits. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.04% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-23357 is to upgrade to NVIDIA Megatron-LM version 0.14.0 or later, which includes the necessary fix. If upgrading is not immediately feasible, carefully review all input data provided to Megatron-LM, implementing strict validation and sanitization routines to prevent the injection of malicious code. Consider implementing a Web Application Firewall (WAF) to filter potentially malicious requests. After upgrading, confirm the vulnerability is resolved by attempting to reproduce the attack scenario with known malicious input; it should now be rejected or handled safely.
Actualice Megatron-LM a la versión 0.14.0 o posterior. Esto solucionará la vulnerabilidad de inyección de código. Asegúrese de obtener la actualización de una fuente oficial de NVIDIA.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-23357 is a code injection vulnerability affecting NVIDIA Megatron-LM versions before 0.14.0, allowing attackers to execute arbitrary code.
You are affected if you are using NVIDIA Megatron-LM versions prior to 0.14.0. Upgrade immediately to mitigate the risk.
Upgrade to NVIDIA Megatron-LM version 0.14.0 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the NVIDIA security bulletin for detailed information and updates: [https://nvidia.github.io/megatron-lm/security/advisories/](https://nvidia.github.io/megatron-lm/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.