平台
python
组件
nvidia/megatron-lm
修复版本
0.13.2
CVE-2025-23353 describes an injection vulnerability discovered in NVIDIA Megatron-LM, a framework for large language model training. This flaw allows attackers to inject malicious data through the msdp preprocessing script, potentially leading to severe consequences. Versions of Megatron-LM prior to 0.13.1 and 0.12.3 are affected. A fix is available in version 0.13.1.
The vulnerability lies within the msdp preprocessing script, where insufficient input validation allows attackers to inject malicious data. Successful exploitation could result in arbitrary code execution on the affected system, granting the attacker complete control. This could lead to privilege escalation, allowing the attacker to gain higher-level access. Furthermore, the vulnerability poses a significant risk of data disclosure, as sensitive information processed by Megatron-LM could be exposed. Data tampering is also a possibility, enabling attackers to modify training data or model outputs, potentially compromising the integrity of the entire system. The impact is particularly severe in environments where Megatron-LM is used for critical applications or processes.
CVE-2025-23353 was publicly disclosed on 2025-09-24. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog at the time of this writing. Given the potential for code execution and privilege escalation, this vulnerability warrants careful attention and prompt remediation.
Organizations and researchers utilizing NVIDIA Megatron-LM for large language model training, particularly those relying on the msdp preprocessing script for data preparation, are at risk. This includes those deploying Megatron-LM in cloud environments or on systems with limited security controls.
• python / supply-chain:
import os
import subprocess
# Check for vulnerable Megatron-LM versions
process = subprocess.Popen(['python', '-c', 'import megatron_lm; print(megatron_lm.__version__)'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = process.communicate()
version = stdout.decode('utf-8').strip()
if version and (float(version) < 0.13.1 or float(version) < 0.12.3):
print(f"Vulnerable Megatron-LM version detected: {version}")• generic web: Check for unusual activity or unexpected data patterns in the msdp preprocessing script logs.
disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-23353 is to upgrade to NVIDIA Megatron-LM version 0.13.1 or later. This version includes the necessary fixes to prevent malicious data injection. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider implementing stricter input validation on the msdp preprocessing script to sanitize user-provided data. While not a complete solution, this can reduce the attack surface. Monitoring the msdp script for unusual activity or unexpected data patterns can also help detect potential exploitation attempts. After upgrading, verify the fix by attempting to inject malicious data into the msdp script and confirming that it is properly sanitized.
Actualice Megatron-LM a la versión 0.13.1 o posterior. Esto corregirá la vulnerabilidad de inyección en el script de preprocesamiento msdp. Asegúrese de verificar la integridad de la nueva versión después de la actualización.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-23353 is a HIGH severity injection vulnerability affecting NVIDIA Megatron-LM versions before 0.13.1 and 0.12.3, allowing malicious data to trigger code execution and data compromise.
You are affected if you are using NVIDIA Megatron-LM versions prior to 0.13.1 or 0.12.3. Check your installed version and upgrade if necessary.
Upgrade to NVIDIA Megatron-LM version 0.13.1 or later to resolve the vulnerability. Implement input validation as a temporary workaround if immediate upgrade is not possible.
Currently, there are no known active exploits or public proof-of-concept code for CVE-2025-23353, but the potential for exploitation is high.
Refer to the NVIDIA security bulletin for detailed information and updates regarding CVE-2025-23353: [https://nvidia.github.io/security-bulletins/](https://nvidia.github.io/security-bulletins/)
上传你的 requirements.txt 文件,立即知道是否受影响。