Platform
nvidia
Component
nvidia/nemo
Fixed in
24.12.1
CVE-2025-23360 describes a Path Traversal vulnerability identified in the NVIDIA NeMo Framework. This flaw allows an attacker to potentially write arbitrary files, which could lead to code execution and data manipulation. The vulnerability impacts all versions of the framework prior to 24.12. A fix is available in version 24.12.
The core of this vulnerability lies in the framework's handling of file paths. An attacker can craft malicious input that bypasses intended security checks, allowing them to specify a path outside of the intended directory. This effectively allows them to write files to locations they shouldn't have access to. Successful exploitation could result in the attacker overwriting critical configuration files, injecting malicious code into the system, or exfiltrating sensitive data. The potential for code execution significantly expands the attack surface, enabling further compromise of the system running the NeMo Framework. While specific real-world exploitation examples are not yet publicly available, the potential for impact is substantial, particularly in environments where the framework is used for sensitive data processing or model training.
CVE-2025-23360 was publicly disclosed on 2025-03-11. Its severity is rated HIGH with a CVSS score of 7.1. As of this writing, there are no known public proof-of-concept exploits available. The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability have not been reported.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-23360 is to upgrade to NVIDIA NeMo Framework version 24.12 or later. If an immediate upgrade is not feasible, consider implementing stricter input validation on any file paths used within the framework. This could involve whitelisting allowed characters or enforcing path length restrictions. Additionally, configure the framework with the principle of least privilege, limiting its access to only the necessary files and directories. Review and harden file system permissions to prevent unauthorized write access. After upgrading, verify the fix by attempting to trigger the path traversal vulnerability with known malicious input and confirming that the attempt is blocked.
Actualice NVIDIA NeMo Framework a la versión 24.12 o posterior. Esto corregirá la vulnerabilidad de path traversal y evitará la posible ejecución de código y manipulación de datos. Descargue la versión más reciente desde el sitio web oficial de NVIDIA o a través del gestor de paquetes correspondiente.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-23360 is a Path Traversal vulnerability in NVIDIA NeMo Framework allowing attackers to write arbitrary files, potentially leading to code execution and data tampering.
You are affected if you are using NVIDIA NeMo Framework versions prior to 24.12. All versions before 24.12 are vulnerable.
Upgrade to NVIDIA NeMo Framework version 24.12 or later. Implement stricter input validation as a temporary workaround if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation of CVE-2025-23360.
Refer to the NVIDIA security bulletin for CVE-2025-23360 on the NVIDIA website (https://www.nvidia.com/en-us/security/).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.