CVE-2025-33233
Unknown Unknown - Not Provided
Code Injection Vulnerability in NVIDIA Merlin Transformers4Rec

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: NVIDIA Corporation

Description
NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-33233
EUVD
EUVD-2026-3359
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nvidia merlin_transformers4rec From 27ddd49 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-33233 is a high-severity code injection vulnerability in NVIDIA Merlin Transformers4Rec across all platforms. It allows an attacker with local access and low privileges to execute arbitrary code. This can lead to unauthorized code execution, escalation of privileges, information disclosure, and data tampering. The vulnerability requires no user interaction and has a high impact on confidentiality, integrity, and availability. [1, 3]

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute arbitrary code on your system, escalate their privileges, disclose sensitive information, and tamper with data. This can compromise the security and integrity of your system and data, potentially leading to significant operational and security risks. [1, 3]

Detection Guidance

Detection involves verifying the version of NVIDIA Merlin Transformers4Rec installed on your system. Specifically, check if the software includes the fix commit 27ddd49 or later in the NVIDIA-Merlin/Transformers4Rec repository. There are no specific network detection commands provided. On Linux systems, you can check the installed version or the presence of the commit by inspecting the software repository or installation directory. For example, if you have the source repository cloned, you can run: git log -1 to see the latest commit and verify if it is 27ddd49 or later. No specific network scanning or system commands for detection are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to update or clone the NVIDIA Merlin Transformers4Rec software to a version that includes commit 27ddd49 or later in the NVIDIA-Merlin/Transformers4Rec repository. Applying this update addresses the code injection vulnerability. Users should ensure that all affected versions on Linux are upgraded accordingly. Additionally, evaluate your specific configurations and monitor NVIDIA's ongoing security bulletins for further guidance. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-33233. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart