High

A critical deserialization vulnerability has been identified in NVIDIA Isaac Lab, part of the NVIDIA Isaac Sim framework, tracked as CVE-2025-32210. This flaw allows attackers with low privileges and minimal user interaction to execute arbitrary code on affected systems. The vulnerability arises from improper handling of deserialized data, making all versions prior to v2.3.0 susceptible to exploitation. With a CVSS score of high, the issue is classified as critical, impacting confidentiality, integrity, and availability across affected systems.

The vulnerability falls under CWE-502, a common software development weakness involving deserialization of untrusted data. Attackers can leverage network access to trigger malicious actions, potentially compromising the entire system. Given the ease of exploitation and the high impact, organizations using Isaac Lab are strongly urged to prioritize remediation. Monitoring for suspicious activity or unauthorized code execution attempts is essential until systems are updated.

To address this issue, NVIDIA has released Isaac Lab v2.3.0, which implements proper input validation and secure data handling mechanisms to mitigate the deserialization flaw. Organizations are recommended to update all instances across development, testing, and production environments- without delay. Users should obtain the patch from NVIDIA’s official GitHub repository to ensure protection against potential exploits.

NVIDIA has publicly credited the researcher of the NVIDIA AI Red Team for responsibly reporting the vulnerability. Comprehensive guidance, including subscription options for security bulletins and details on the vulnerability management process, is available on NVIDIA’s Product Security page. Maintaining updated software and staying informed about emerging threats remains critical for organizations relying on NVIDIA Isaac Lab and other NVIDIA products.