AI Threat Alert AI Threat Alert

CVE-2025-33233: NVIDIA: Code Injection enables RCE

HIGH
Published January 20, 2026
CISO Take

NVIDIA Merlin Transformers4Rec contains a code injection flaw (CWE-94) that allows a local low-privileged attacker to achieve full code execution with no user interaction. Organizations running Transformers4Rec in shared ML compute environments, GPU clusters, or multi-tenant data science platforms should patch immediately — local access in these environments is routine for many users. Audit all deployments and enforce least-privilege on ML workloads as an interim control.

Risk Assessment

CVSS 7.8 High with local attack vector and low complexity makes this exploitable by any user with shell access to the affected system. In traditional enterprise environments the blast radius is moderate; however, AI/ML workloads routinely execute in shared Jupyter notebook servers, multi-tenant GPU clusters, and containerized training pipelines where 'local access' is a very low bar. Exploitation yields confidentiality, integrity, and availability compromise — including the ability to tamper with model artifacts, exfiltrate training data, or implant backdoors. Not in CISA KEV, but the ease-of-exploitation in ML infrastructure elevates practical risk above the raw CVSS score.

Severity & Risk

CVSS 3.1
7.8 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 8% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Apply NVIDIA's fix referenced in advisory a_id/5761 immediately. Monitor NVIDIA Security Bulletins for updated package versions.

  2. ISOLATION

    Until patched, restrict Transformers4Rec execution to dedicated, single-tenant environments — no shared Jupyter servers or multi-user ML platforms.

  3. LEAST PRIVILEGE

    Enforce strict OS-level user isolation on ML compute nodes; run training jobs under dedicated service accounts with no write access to model artifact stores.

  4. DETECTION

    Monitor for anomalous process spawning from Python interpreter processes on ML nodes (e.g., unexpected shell invocations, network connections from training jobs). Alert on unexpected writes to model artifact directories.

  5. SBOM AUDIT

    Enumerate all internal pipelines and MLOps tooling that depend on Transformers4Rec via pip/conda dependency trees.

  6. CONTAINER HARDENING

    If running in containers, ensure seccomp/AppArmor profiles block unexpected syscalls from ML workloads.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Supply Chain Framework Training Data Model AML.T0010.001 AML.T0018.002 AML.T0020 AML.T0025 AML.T0049 AML.T0050 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 17 - Quality Management System Article 9 - Risk Management System
ISO 42001
8.4 - AI System Risk Management — Technical Controls A.6.2.6 - AI System Software Development and Maintenance A.9.3 - AI Supply Chain Management
NIST AI RMF
GOVERN-1.7 - Organizational practices and policies for AI risk management MAP 5.1 - Likelihood and Impact of Each Identified Risk MEASURE 2.5 - AI Risk Measurement — Vulnerability Identification
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities LLM08:2025 - Vulnerability in Integrated Components (Vector and Embedding Weaknesses)

Frequently Asked Questions

What is CVE-2025-33233?

NVIDIA Merlin Transformers4Rec contains a code injection flaw (CWE-94) that allows a local low-privileged attacker to achieve full code execution with no user interaction. Organizations running Transformers4Rec in shared ML compute environments, GPU clusters, or multi-tenant data science platforms should patch immediately — local access in these environments is routine for many users. Audit all deployments and enforce least-privilege on ML workloads as an interim control.

Is CVE-2025-33233 actively exploited?

No confirmed active exploitation of CVE-2025-33233 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-33233?

1. PATCH: Apply NVIDIA's fix referenced in advisory a_id/5761 immediately. Monitor NVIDIA Security Bulletins for updated package versions. 2. ISOLATION: Until patched, restrict Transformers4Rec execution to dedicated, single-tenant environments — no shared Jupyter servers or multi-user ML platforms. 3. LEAST PRIVILEGE: Enforce strict OS-level user isolation on ML compute nodes; run training jobs under dedicated service accounts with no write access to model artifact stores. 4. DETECTION: Monitor for anomalous process spawning from Python interpreter processes on ML nodes (e.g., unexpected shell invocations, network connections from training jobs). Alert on unexpected writes to model artifact directories. 5. SBOM AUDIT: Enumerate all internal pipelines and MLOps tooling that depend on Transformers4Rec via pip/conda dependency trees. 6. CONTAINER HARDENING: If running in containers, ensure seccomp/AppArmor profiles block unexpected syscalls from ML workloads.

What systems are affected by CVE-2025-33233?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, recommendation system pipelines, shared ML compute environments, MLOps/CI-CD pipelines.

What is the CVSS score for CVE-2025-33233?

CVE-2025-33233 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Exploitation Scenario

An attacker with low-privileged access to a shared GPU training server (e.g., a data scientist account, compromised CI/CD runner, or malicious insider) crafts a malicious serialized object or configuration input that Transformers4Rec processes without proper sanitization. The injected code executes in the context of the training process, which may run with elevated privileges to access GPU resources or network-attached storage. The attacker pivots to: (1) exfiltrate user behavioral training data from the dataset store, (2) modify model checkpoint files to embed a backdoor that activates on specific inputs in production, or (3) establish persistence on the ML server by modifying shared pipeline scripts. In Kubernetes-based MLOps platforms, the attacker may escape the training pod and access cluster secrets.

Weaknesses (CWE)

CWE-94 Primary

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
January 20, 2026
Last Modified
January 26, 2026
First Seen
January 20, 2026

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
Back to Threat Feed