NVIDIA has issued an urgent security advisory for its Omniverse Launcher application, revealing a significant vulnerability that could expose sensitive user information to unauthorized access.
The vulnerability, designated CVE-2025-23289, affects all versions of the Omniverse Launcher up to and including version 1.9.18 on both Windows and Linux platforms.
The vulnerability stems from improper handling of sensitive information in the launcher’s logging mechanism when users access the application through proxy servers.
The security vulnerability allows malicious actors to cause sensitive data to be written to log files, creating a pathway for information disclosure that could compromise user privacy and organizational security.
NVIDIA Omniverse platform serves as a comprehensive 3D collaboration and simulation environment used by millions of designers, architects, and creators worldwide.
The platform enables real-time collaboration on complex 3D projects across multiple software applications, making it a critical tool for industries ranging from automotive and architecture to entertainment and manufacturing.
Technical Details and Security Assessment
The vulnerability has been classified with a medium severity rating, receiving a CVSS v3.1 base score of 5.5.
The security weakness falls under the CWE-532 category, which specifically addresses the “Insertion of Sensitive Information into Log File” vulnerability class.
This type of vulnerability occurs when applications inadvertently write sensitive data to log files that could be accessible to unauthorized users.
The attack vector requires local access to the system, with low attack complexity and low privileges required for exploitation.
However, the vulnerability requires no user interaction to execute, and successful exploitation could lead to high confidentiality impact without affecting system integrity or availability.
Security experts emphasize that proxy server logs frequently contain highly sensitive information, including user IP addresses, authentication credentials, browsing activities, and personally identifiable information.
When applications improperly log sensitive data through proxy connections, this information becomes vulnerable to unauthorized access by attackers who gain access to log files.
Security Researcher Recognition
NVIDIA has released version 1.9.19 of the Omniverse Launcher to address this critical security vulnerability.
The updated version includes enhanced security measures that suppress potentially sensitive information from being added to launcher logs when authenticated proxy configurations are in use.
All users currently running versions 1.9.18 or earlier must immediately update to the latest version to protect against potential information disclosure.
The security vulnerability was discovered and responsibly disclosed by Yash Kundlik Jare, a cybersecurity student and bug hunter from Symbiosis Skills and Professional University in Maharashtra, India.
Jare, who specializes in ethical hacking and security research, has contributed to multiple security initiatives and holds certifications in cybersecurity and Python development.
His responsible disclosure follows established security protocols, allowing NVIDIA to develop and deploy fixes before the vulnerability details became public.
Organizations using NVIDIA Omniverse Launcher should prioritize this security update as part of their vulnerability management procedures.
The fix addresses the core logging mechanism that previously exposed sensitive information, ensuring that proxy-related data is properly sanitized before being written to log files.
Users can download the updated version from the official NVIDIA Omniverse Launcher Overview Page to maintain secure operations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
