NVIDIA, a leader in AI computing, has disclosed two high-severity vulnerabilities in its NeMo Framework, an open-source toolkit for building generative AI models.
Released on November 7, 2025, the security bulletin urges users to update to version 2.5.0 or later to patch flaws that could allow attackers to inject malicious code and escalate privileges.
These issues affect all platforms and versions before 2.5.0, potentially exposing AI development environments to serious risks, including data breaches and system takeovers.
NeMo Framework powers advanced AI applications, from language models to robotics, by enabling developers to train and deploy large-scale neural networks.
However, the vulnerabilities stem from improper handling of user inputs in core components, making it a prime target for threat actors eyeing AI supply chains.
As AI factories and data centers proliferate think NVIDIA’s recent partnerships with U.S. agencies and South Korea for secure AI infrastructure these flaws highlight the growing need for robust security in AI tools.
Vulnerability Breakdown and Technical Impacts
The first vulnerability, tracked as CVE-2025-23361, resides in a NeMo script that processes input during model training or inference.
It falls under CWE-94: Improper Control of Generation of Code, where attackers with local access can craft malicious inputs to manipulate code generation.
The CVSS v3.1 base score is 7.8 (High severity), with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A: H.
This means a low-privilege local user can exploit it with low complexity, without user interaction, potentially leading to arbitrary code execution.
In practice, an attacker could inject shell commands or malware into the script’s dynamic code assembly, bypassing sandboxing in AI workflows.
Impacts include full privilege escalation turning a standard developer account into root access confidentiality breaches via info dumps from training datasets, and integrity violations like tampering with model weights.
For instance, altered models could propagate biases or backdoors in downstream AI applications, such as those in NVIDIA’s BlueField-4 data center processors.
The second flaw, CVE-2025-33178, targets the BERT services component, used for natural language processing tasks in NeMo.
Again classified as CWE-94, it allows code injection through malicious data fed into BERT tokenization or embedding processes.
Sharing the same 7.8 CVSS score and vector, exploitation requires local access but could chain with the first CVE for amplified damage.
Attackers might embed executable payloads in input tensors, which are executed during model fine-tuning and expose sensitive API keys or proprietary datasets.
NVIDIA’s risk assessment notes variability based on deployment. However, in shared AI environments such as cloud-based training on AWS or Azure this could enable lateral movement across nodes.
Credits go to TencentAISec for CVE-2025-23361 and researchers Guanheng Liu and Pinji Chen from Tsinghua University’s NISL lab for the BERT issue.
Mitigation and Broader Implications
To fix these issues, NVIDIA recommends cloning the latest NeMo release from GitHub or installing it via PyPI.
Earlier branches are also vulnerable, so complete upgrades are essential. Users should scan for exposed local endpoints and enforce least-privilege principles in AI pipelines.
This disclosure underscores vulnerabilities in AI frameworks amid rising threats, such as supply chain attacks.
As NVIDIA pushes open-source AI models and datasets, timely patching remains crucial to safeguard innovation without compromising security.
