Severity
High
Analysis Summary
CVE-2025-23306 CVSS:7.8
NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/arguments.py component where an attacker could cause a code injection issue by providing a malicious input. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
CVE-2025-23305 CVSS:7.8
NVIDIA Megatron-LM for all platforms contains a vulnerability in the tools component, where an attacker may exploit a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.
CVE-2025-23298 CVSS:7.8
NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
CVE-2025-23296 CVSS:7.8
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
CVE-2025-23295 CVSS:7.8
NVIDIA Apex for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
CVE-2025-23304 CVSS:7.8
NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by loading .nemo files with maliciously crafted metadata. A successful exploit of this vulnerability may lead to remote code execution and data tampering.
CVE-2025-23294 CVSS:7.8
NVIDIA WebDataset for all platforms contains a vulnerability where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service.
CVE-2025-23303 CVSS:7.8
NVIDIA NeMo Framework for all platforms contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering.
Impact
- Denial of Service
- Code Execution
- Data Manipulation
- Privilege Escalation
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2025-23306
- CVE-2025-23305
- CVE-2025-23298
- CVE-2025-23296
- CVE-2025-23295
- CVE-2025-23304
- CVE-2025-23294
- CVE-2025-23303
Affected Vendors
- NVIDIA
Affected Products
- NVIDIA Megatron-LM
- NVIDIA Merlin Transformers4Rec
- NVIDIA Isaac-GR00T N1
- NVIDIA Apex
- NVIDIA NeMo Framework
- NVIDIA WebDataset
Remediation
Refer to NVIDIA Security Advisory for patch, upgrade, or suggested workaround information.