CVE-2025-23298 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

Teams running NVIDIA Merlin Transformers4Rec-based recommendation pipelines must patch immediately — a low-privileged attacker on the same system can achieve full code execution, privilege escalation, and data tampering through a vulnerable Python dependency. Shared ML training clusters, JupyterHub environments, and MLOps platforms are highest risk. Apply the NVIDIA advisory fix and audit your Python dependency trees.

Risk Assessment

High risk (CVSS 7.8) in multi-user ML environments. The local attack vector limits direct internet-facing exposure, but shared GPU training clusters, containerized ML workloads, and multi-tenant AI platforms where multiple users execute jobs on common infrastructure are directly exploitable. AC:L with no user interaction means exploitation is straightforward once local access is obtained. The full C:H/I:H/A:H triad means a successful attack results in complete node compromise — training data exfiltration, model weight theft, and supply chain poisoning of downstream model artifacts are all realistic outcomes.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

7 steps

Identify all Transformers4Rec deployments across training, serving, and CI/CD environments — check installed versions against the patched release noted in NVIDIA advisory a_id/5683.
Update the affected Python dependency as directed; rebuild and redeploy any containers built on vulnerable base environments.
Enforce least-privilege on ML workloads — training jobs should run as unprivileged users with no unnecessary OS capabilities or mounts.
Audit Python dependency trees using pip-audit, Safety, or SBOM tooling across ML containers.
Add detection for anomalous child process spawning from Python ML processes in your EDR/SIEM.
Isolate ML training environments in separate Kubernetes namespaces or containers with restricted seccomp/AppArmor profiles.
Rotate credentials for any service accounts accessible from affected training environments as a precaution.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework AML.T0010.001 - AI Software AML.T0011.001 - Malicious Package AML.T0035 - AI Artifact Collection AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

8.4 - AI System Supply Chain Management

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place for AI risk from third-party entities MANAGE 2.2 - Mechanisms are in place to inventory AI systems and their components

Frequently Asked Questions

What is CVE-2025-23298?

Teams running NVIDIA Merlin Transformers4Rec-based recommendation pipelines must patch immediately — a low-privileged attacker on the same system can achieve full code execution, privilege escalation, and data tampering through a vulnerable Python dependency. Shared ML training clusters, JupyterHub environments, and MLOps platforms are highest risk. Apply the NVIDIA advisory fix and audit your Python dependency trees.

Is CVE-2025-23298 actively exploited?

No confirmed active exploitation of CVE-2025-23298 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-23298?

1. Identify all Transformers4Rec deployments across training, serving, and CI/CD environments — check installed versions against the patched release noted in NVIDIA advisory a_id/5683. 2. Update the affected Python dependency as directed; rebuild and redeploy any containers built on vulnerable base environments. 3. Enforce least-privilege on ML workloads — training jobs should run as unprivileged users with no unnecessary OS capabilities or mounts. 4. Audit Python dependency trees using pip-audit, Safety, or SBOM tooling across ML containers. 5. Add detection for anomalous child process spawning from Python ML processes in your EDR/SIEM. 6. Isolate ML training environments in separate Kubernetes namespaces or containers with restricted seccomp/AppArmor profiles. 7. Rotate credentials for any service accounts accessible from affected training environments as a precaution.

What systems are affected by CVE-2025-23298?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, recommendation system serving, data preprocessing pipelines, shared ML compute clusters, MLOps platforms.

What is the CVSS score for CVE-2025-23298?

CVE-2025-23298 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Exploitation Scenario

An attacker obtains low-privileged access to a shared GPU training server — via compromised data scientist credentials, a malicious notebook uploaded to JupyterHub, or a rogue container in an MLOps pipeline. They confirm Transformers4Rec is installed on the target. By crafting a malicious input or configuration artifact processed by the vulnerable Python dependency during data preprocessing or model training, they trigger the CWE-94 code injection. The injected code executes in the context of the training process, allowing privilege escalation to access model weights, proprietary training datasets, or adjacent services. In a worst case, the attacker tampers with training data mid-run to introduce a backdoor into the recommendation model, which then propagates silently to production serving.