CVE-2025-23294
BaseFortify
Publication date: 2025-08-13
Last updated on: 2025-08-14
Assigner: NVIDIA Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nvidia | webdataset | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-23294 is a vulnerability in NVIDIA WebDataset that allows an attacker with local access to execute arbitrary code with elevated permissions. This is due to improper neutralization of special elements used in OS commands (OS Command Injection). Exploiting this flaw can lead to privilege escalation, data tampering, information disclosure, and denial of service. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to escalate their privileges on the system, tamper with data, disclose sensitive information, and cause denial of service, potentially disrupting normal operations and compromising system security. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update NVIDIA WebDataset to a version that includes the GitHub commit 9e95f50 or any later code branch containing this commit. This update addresses the vulnerability and protects your system from exploitation. [2]