CVE-2025-23298: code injection via Python dep

CISO Take

Teams running NVIDIA Merlin Transformers4Rec-based recommendation pipelines must patch immediately — a low-privileged attacker on the same system can achieve full code execution, privilege escalation, and data tampering through a vulnerable Python dependency. Shared ML training clusters, JupyterHub environments, and MLOps platforms are highest risk. Apply the NVIDIA advisory fix and audit your Python dependency trees.

What is the risk?

High risk (CVSS 7.8) in multi-user ML environments. The local attack vector limits direct internet-facing exposure, but shared GPU training clusters, containerized ML workloads, and multi-tenant AI platforms where multiple users execute jobs on common infrastructure are directly exploitable. AC:L with no user interaction means exploitation is straightforward once local access is obtained. The full C:H/I:H/A:H triad means a successful attack results in complete node compromise — training data exfiltration, model weight theft, and supply chain poisoning of downstream model artifacts are all realistic outcomes.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 49% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

Identify all Transformers4Rec deployments across training, serving, and CI/CD environments — check installed versions against the patched release noted in NVIDIA advisory a_id/5683.
Update the affected Python dependency as directed; rebuild and redeploy any containers built on vulnerable base environments.
Enforce least-privilege on ML workloads — training jobs should run as unprivileged users with no unnecessary OS capabilities or mounts.
Audit Python dependency trees using pip-audit, Safety, or SBOM tooling across ML containers.
Add detection for anomalous child process spawning from Python ML processes in your EDR/SIEM.
Isolate ML training environments in separate Kubernetes namespaces or containers with restricted seccomp/AppArmor profiles.
Rotate credentials for any service accounts accessible from affected training environments as a precaution.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework AML.T0010.001 - AI Software AML.T0011.001 - Malicious Package AML.T0035 - AI Artifact Collection AML.T0050 - Command and Scripting Interpreter

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

8.4 - AI System Supply Chain Management

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place for AI risk from third-party entities MANAGE 2.2 - Mechanisms are in place to inventory AI systems and their components

Frequently Asked Questions

What is CVE-2025-23298?

Teams running NVIDIA Merlin Transformers4Rec-based recommendation pipelines must patch immediately — a low-privileged attacker on the same system can achieve full code execution, privilege escalation, and data tampering through a vulnerable Python dependency. Shared ML training clusters, JupyterHub environments, and MLOps platforms are highest risk. Apply the NVIDIA advisory fix and audit your Python dependency trees.

Is CVE-2025-23298 actively exploited?

No confirmed active exploitation of CVE-2025-23298 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-23298?

1. Identify all Transformers4Rec deployments across training, serving, and CI/CD environments — check installed versions against the patched release noted in NVIDIA advisory a_id/5683. 2. Update the affected Python dependency as directed; rebuild and redeploy any containers built on vulnerable base environments. 3. Enforce least-privilege on ML workloads — training jobs should run as unprivileged users with no unnecessary OS capabilities or mounts. 4. Audit Python dependency trees using pip-audit, Safety, or SBOM tooling across ML containers. 5. Add detection for anomalous child process spawning from Python ML processes in your EDR/SIEM. 6. Isolate ML training environments in separate Kubernetes namespaces or containers with restricted seccomp/AppArmor profiles. 7. Rotate credentials for any service accounts accessible from affected training environments as a precaution.

What systems are affected by CVE-2025-23298?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, recommendation system serving, data preprocessing pipelines, shared ML compute clusters, MLOps platforms.

What is the CVSS score for CVE-2025-23298?

CVE-2025-23298 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.73%.

What is the AI security impact?

Affected AI Architectures

training pipelinesrecommendation system servingdata preprocessing pipelinesshared ML compute clustersMLOps platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.001 Malicious Package

AML.T0035 AI Artifact Collection

AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: 8.4

NIST AI RMF: GOVERN 6.2, MANAGE 2.2

What are the technical details?

Original Advisory

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Exploitation Scenario

An attacker obtains low-privileged access to a shared GPU training server — via compromised data scientist credentials, a malicious notebook uploaded to JupyterHub, or a rogue container in an MLOps pipeline. They confirm Transformers4Rec is installed on the target. By crafting a malicious input or configuration artifact processed by the vulnerable Python dependency during data preprocessing or model training, they trigger the CWE-94 code injection. The injected code executes in the context of the training process, allowing privilege escalation to access model weights, proprietary training datasets, or adjacent services. In a worst case, the attacker tampers with training data mid-run to introduce a backdoor into the recommendation model, which then propagates silently to production serving.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.