AI Threat Alert

CVE-2025-33233: NVIDIA: Code Injection enables RCE

HIGH
Published January 20, 2026
CISO Take

NVIDIA Merlin Transformers4Rec contains a code injection flaw (CWE-94) that allows a local low-privileged attacker to achieve full code execution with no user interaction. Organizations running Transformers4Rec in shared ML compute environments, GPU clusters, or multi-tenant data science platforms should patch immediately — local access in these environments is routine for many users. Audit all deployments and enforce least-privilege on ML workloads as an interim control.

What is the risk?

CVSS 7.8 High with local attack vector and low complexity makes this exploitable by any user with shell access to the affected system. In traditional enterprise environments the blast radius is moderate; however, AI/ML workloads routinely execute in shared Jupyter notebook servers, multi-tenant GPU clusters, and containerized training pipelines where 'local access' is a very low bar. Exploitation yields confidentiality, integrity, and availability compromise — including the ability to tamper with model artifacts, exfiltrate training data, or implant backdoors. Not in CISA KEV, but the ease-of-exploitation in ML infrastructure elevates practical risk above the raw CVSS score.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 10% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Apply NVIDIA's fix referenced in advisory a_id/5761 immediately. Monitor NVIDIA Security Bulletins for updated package versions.

  2. ISOLATION

    Until patched, restrict Transformers4Rec execution to dedicated, single-tenant environments — no shared Jupyter servers or multi-user ML platforms.

  3. LEAST PRIVILEGE

    Enforce strict OS-level user isolation on ML compute nodes; run training jobs under dedicated service accounts with no write access to model artifact stores.

  4. DETECTION

    Monitor for anomalous process spawning from Python interpreter processes on ML nodes (e.g., unexpected shell invocations, network connections from training jobs). Alert on unexpected writes to model artifact directories.

  5. SBOM AUDIT

    Enumerate all internal pipelines and MLOps tooling that depend on Transformers4Rec via pip/conda dependency trees.

  6. CONTAINER HARDENING

    If running in containers, ensure seccomp/AppArmor profiles block unexpected syscalls from ML workloads.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Supply Chain Framework Training Data Model AML.T0010.001 AML.T0018.002 AML.T0020 AML.T0025 AML.T0049 AML.T0050 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 17 - Quality Management System Article 9 - Risk Management System
ISO 42001
8.4 - AI System Risk Management — Technical Controls A.6.2.6 - AI System Software Development and Maintenance A.9.3 - AI Supply Chain Management
NIST AI RMF
GOVERN-1.7 - Organizational practices and policies for AI risk management MAP 5.1 - Likelihood and Impact of Each Identified Risk MEASURE 2.5 - AI Risk Measurement — Vulnerability Identification
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities LLM08:2025 - Vulnerability in Integrated Components (Vector and Embedding Weaknesses)

Frequently Asked Questions

What is CVE-2025-33233?

NVIDIA Merlin Transformers4Rec contains a code injection flaw (CWE-94) that allows a local low-privileged attacker to achieve full code execution with no user interaction. Organizations running Transformers4Rec in shared ML compute environments, GPU clusters, or multi-tenant data science platforms should patch immediately — local access in these environments is routine for many users. Audit all deployments and enforce least-privilege on ML workloads as an interim control.

Is CVE-2025-33233 actively exploited?

No confirmed active exploitation of CVE-2025-33233 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-33233?

1. PATCH: Apply NVIDIA's fix referenced in advisory a_id/5761 immediately. Monitor NVIDIA Security Bulletins for updated package versions. 2. ISOLATION: Until patched, restrict Transformers4Rec execution to dedicated, single-tenant environments — no shared Jupyter servers or multi-user ML platforms. 3. LEAST PRIVILEGE: Enforce strict OS-level user isolation on ML compute nodes; run training jobs under dedicated service accounts with no write access to model artifact stores. 4. DETECTION: Monitor for anomalous process spawning from Python interpreter processes on ML nodes (e.g., unexpected shell invocations, network connections from training jobs). Alert on unexpected writes to model artifact directories. 5. SBOM AUDIT: Enumerate all internal pipelines and MLOps tooling that depend on Transformers4Rec via pip/conda dependency trees. 6. CONTAINER HARDENING: If running in containers, ensure seccomp/AppArmor profiles block unexpected syscalls from ML workloads.

What systems are affected by CVE-2025-33233?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, recommendation system pipelines, shared ML compute environments, MLOps/CI-CD pipelines.

What is the CVSS score for CVE-2025-33233?

CVE-2025-33233 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingrecommendation system pipelinesshared ML compute environmentsMLOps/CI-CD pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0018.002 Embed Malware
AML.T0020 Poison Training Data
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 17, Article 9
ISO 42001: 8.4, A.6.2.6, A.9.3
NIST AI RMF: GOVERN-1.7, MAP 5.1, MEASURE 2.5
OWASP LLM Top 10: LLM05:2025, LLM08:2025

What are the technical details?

Original Advisory

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Exploitation Scenario

An attacker with low-privileged access to a shared GPU training server (e.g., a data scientist account, compromised CI/CD runner, or malicious insider) crafts a malicious serialized object or configuration input that Transformers4Rec processes without proper sanitization. The injected code executes in the context of the training process, which may run with elevated privileges to access GPU resources or network-attached storage. The attacker pivots to: (1) exfiltrate user behavioral training data from the dataset store, (2) modify model checkpoint files to embed a backdoor that activates on specific inputs in production, or (3) establish persistence on the ML server by modifying shared pipeline scripts. In Kubernetes-based MLOps platforms, the attacker may escape the training pod and access cluster secrets.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
January 20, 2026
Last Modified
April 15, 2026
First Seen
January 20, 2026

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
Back to Threat Feed