Platform
nvidia
Component
nemo-framework
Fixed in
2.5.1
CVE-2025-23361 is a vulnerability identified in the NVIDIA NeMo Framework, impacting versions prior to 2.5.0. This issue stems from improper control of code generation within a script, allowing an attacker to inject malicious input. Successful exploitation could result in severe consequences, including code execution and data compromise, affecting users of the framework across various platforms.
The core of this vulnerability lies in the framework's script handling. An attacker can craft malicious input specifically designed to manipulate the code generation process. This manipulation could lead to arbitrary code execution on the system running the NeMo Framework, effectively granting the attacker control. The potential impact extends beyond simple code execution; it includes privilege escalation, allowing the attacker to gain higher-level access. Furthermore, sensitive data within the framework or related systems could be exposed, and data integrity could be compromised through tampering. The blast radius is significant, potentially affecting any application or service relying on the vulnerable NeMo Framework.
CVE-2025-23361 was publicly disclosed on 2025-11-11. The vulnerability's impact, allowing for code execution, shares similarities with other code injection vulnerabilities, though specific exploitation patterns remain unknown at this time. There is no indication of this CVE being added to the CISA KEV catalog or active exploitation campaigns as of the disclosure date. Public proof-of-concept (POC) code is currently unavailable.
Exploit Status
EPSS
0.04% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-23361 is to immediately upgrade to NVIDIA NeMo Framework version 2.5.0 or later. This version incorporates fixes to address the improper code generation control. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider implementing stricter input validation and sanitization routines within your NeMo Framework scripts. While not a complete solution, this can reduce the attack surface. Review and audit all scripts utilizing the framework for potential vulnerabilities. After upgrading, confirm the fix by attempting to reproduce the vulnerability with known malicious input – if the code generation process is now properly controlled, the attack should fail.
Actualice NVIDIA NeMo Framework a la versión 2.5.0 o posterior. Esto corregirá la vulnerabilidad que permite la ejecución de código arbitrario, escalada de privilegios, divulgación de información y manipulación de datos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-23361 is a vulnerability in NVIDIA NeMo Framework versions before 2.5.0 where malicious input can lead to code execution, privilege escalation, and data compromise due to improper code generation control.
If you are using NVIDIA NeMo Framework versions prior to 2.5.0, you are potentially affected by this vulnerability. Upgrade immediately to mitigate the risk.
The recommended fix is to upgrade to NVIDIA NeMo Framework version 2.5.0 or later. If immediate upgrade is not possible, implement stricter input validation and sanitization.
As of the public disclosure date (2025-11-11), there is no confirmed evidence of active exploitation of CVE-2025-23361.
Refer to the official NVIDIA security advisory for detailed information and updates regarding CVE-2025-23361. Check the NVIDIA security bulletin website for the latest advisory.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.