Cyber Resilience

CVE-2025-23304

High

Published: 13 August 2025

Published
13 August 2025
Modified
24 September 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0089 76.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23304 is a high-severity Path Traversal (CWE-22) vulnerability in Nvidia Nemo. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2025-23304 resides in the model loading component of the NVIDIA NeMo library on all platforms. It stems from insufficient validation of metadata in .nemo files, enabling code injection that can lead to remote code execution and data tampering. The flaw maps to CWE-22 and CWE-94 and carries a CVSS 3.1 base score of 7.8 reflecting local attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An attacker with local access and the ability to cause a victim to load a malicious .nemo file can exploit the issue to inject and execute arbitrary code or alter data. No elevated privileges beyond standard user rights are required.

NVIDIA has published an advisory that addresses the vulnerability. Security practitioners should consult the vendor guidance at the referenced support portal for patch availability and recommended actions.

The associated EPSS score has remained low, reaching a peak of only 0.0147. The affected component is widely used in AI/ML workflows for loading trained models.

EU & UK References

Vulnerability details

NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by loading .nemo files with maliciously crafted metadata. A successful exploit of this vulnerability may lead to remote code…

more

execution and data tampering.

CWE(s)

Related Threats

Threat-Actor AttributionAI

Active Exploitation of Microsoft SharePoint Vulnerabilities

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Malicious .nemo file loading enables user execution of crafted content (T1204.002) and Python code injection (T1059.006) via the vulnerable model loader.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23360Same product: Apple Macos
CVE-2025-23303Same product: Apple Macos
CVE-2026-9976Same product: Apple Macos
CVE-2026-9938Same product: Apple Macos
CVE-2026-6306Same product: Apple Macos
CVE-2026-6305Same product: Apple Macos
CVE-2026-4455Same product: Apple Macos
CVE-2026-5910Same product: Apple Macos
CVE-2026-5287Same product: Apple Macos
CVE-2026-3910Same product: Apple Macos

Affected Assets

nvidia
nemo
≤ 2.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by identifying, reporting, and applying patches or updates to the flawed model loading component in the NVIDIA NeMo library.

prevent

Enforces validation of metadata in .nemo files to block code injection from maliciously crafted inputs during model loading.

preventdetect

Performs integrity checks on .nemo model files to detect tampering or malicious modifications prior to loading, reducing risk of code injection exploitation.

References