CVE-2025-33213: Deserialization enables RCE

CISO Take

NVIDIA Merlin Transformers4Rec contains a high-severity deserialization flaw (CWE-502) in its Trainer component enabling remote code execution when a user loads a malicious artifact. If your ML teams use this library for transformer-based recommendation systems, patch immediately via NVIDIA advisory ID 5739. Until patched, restrict Trainer inputs to internally signed, verified sources only and sandbox training workloads.

What is the risk?

High risk for organizations running NVIDIA Merlin Transformers4Rec in recommendation model training pipelines. CVSS 8.8 with network-exploitable, low-complexity attack, though user interaction is required — constraining exploitation to social engineering or supply chain scenarios. Training hosts typically carry elevated privileges, GPU access, and broad connectivity to data lakes and internal networks, making blast radius severe if exploited. Not in CISA KEV, indicating no confirmed active exploitation, but the combination of NVIDIA's ML library reach and trivially craftable exploit payloads warrants prompt response.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 41% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch: Apply NVIDIA's fix immediately per advisory https://nvidia.custhelp.com/app/answers/detail/a_id/5739.
Inventory: Audit all environments running Merlin Transformers4Rec Trainer across dev, staging, and production.
Restrict inputs: Enforce strict allowlists on model checkpoint and artifact sources; only load files from internally verified, cryptographically signed repositories.
Isolate training workloads: Run training jobs in sandboxed containers with restricted syscalls (seccomp/AppArmor) to limit blast radius.
Detect: Monitor for unexpected process spawning, outbound network connections, or anomalous file writes from training processes; alert on deserialization of externally sourced pickle/joblib files.
Audit MLOps pipelines: Identify any automated pipeline that ingests unvalidated model artifacts from external or user-supplied sources and gate with artifact validation.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Data Extraction Framework Training Data Model AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - AI supply chain management A.6.2 - AI system lifecycle security

NIST AI RMF

GOVERN 6.1 - Policies for AI risk and vulnerability management GOVERN-1.7 - Processes for identifying and managing AI risks across the lifecycle MANAGE 2.4 - Risks associated with third-party entities MANAGE-2.2 - Mechanisms to detect, respond to, and recover from AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-33213?

NVIDIA Merlin Transformers4Rec contains a high-severity deserialization flaw (CWE-502) in its Trainer component enabling remote code execution when a user loads a malicious artifact. If your ML teams use this library for transformer-based recommendation systems, patch immediately via NVIDIA advisory ID 5739. Until patched, restrict Trainer inputs to internally signed, verified sources only and sandbox training workloads.

Is CVE-2025-33213 actively exploited?

No confirmed active exploitation of CVE-2025-33213 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-33213?

1. Patch: Apply NVIDIA's fix immediately per advisory https://nvidia.custhelp.com/app/answers/detail/a_id/5739. 2. Inventory: Audit all environments running Merlin Transformers4Rec Trainer across dev, staging, and production. 3. Restrict inputs: Enforce strict allowlists on model checkpoint and artifact sources; only load files from internally verified, cryptographically signed repositories. 4. Isolate training workloads: Run training jobs in sandboxed containers with restricted syscalls (seccomp/AppArmor) to limit blast radius. 5. Detect: Monitor for unexpected process spawning, outbound network connections, or anomalous file writes from training processes; alert on deserialization of externally sourced pickle/joblib files. 6. Audit MLOps pipelines: Identify any automated pipeline that ingests unvalidated model artifacts from external or user-supplied sources and gate with artifact validation.

What systems are affected by CVE-2025-33213?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML infrastructure, recommendation systems, MLOps platforms, model registries.

What is the CVSS score for CVE-2025-33213?

CVE-2025-33213 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.54%.

What is the AI security impact?

Affected AI Architectures

training pipelinesML infrastructurerecommendation systemsMLOps platformsmodel registries

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011 User Execution

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: A.10.1, A.6.2

NIST AI RMF: GOVERN 6.1, GOVERN-1.7, MANAGE 2.4, MANAGE-2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

NVIDIA Merlin Transformers4Rec for Linux contains a vulnerability in the Trainer component, where a user could cause a deserialization issue. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.

Exploitation Scenario

An adversary crafts a malicious serialized Python object (via pickle) embedded in a model checkpoint file for a transformer-based recommendation model. They distribute it through a poisoned model registry, a shared S3 bucket with lax permissions, or a spearphishing email with a convincing 'pre-trained Merlin model for fine-tuning' attachment. When an ML engineer loads the artifact into the Trainer component for fine-tuning or evaluation, deserialization fires arbitrary code execution on their training host — which typically has privileged access to internal data lakes, cloud storage credentials, and GPU cluster orchestration APIs. The adversary exfiltrates training data, implants a persistent backdoor in the model or training environment, or pivots laterally into the broader MLOps infrastructure.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.