CVE-2025-33233
Code Injection Vulnerability in NVIDIA Merlin Transformers4Rec
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: NVIDIA Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nvidia | merlin_transformers4rec | From 27ddd49 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-33233 is a high-severity code injection vulnerability in NVIDIA Merlin Transformers4Rec across all platforms. It allows an attacker with local access and low privileges to execute arbitrary code. This can lead to unauthorized code execution, escalation of privileges, information disclosure, and data tampering. The vulnerability requires no user interaction and has a high impact on confidentiality, integrity, and availability. [1, 3]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code on your system, escalate their privileges, disclose sensitive information, and tamper with data. This can compromise the security and integrity of your system and data, potentially leading to significant operational and security risks. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying the version of NVIDIA Merlin Transformers4Rec installed on your system. Specifically, check if the software includes the fix commit 27ddd49 or later in the NVIDIA-Merlin/Transformers4Rec repository. There are no specific network detection commands provided. On Linux systems, you can check the installed version or the presence of the commit by inspecting the software repository or installation directory. For example, if you have the source repository cloned, you can run: git log -1 to see the latest commit and verify if it is 27ddd49 or later. No specific network scanning or system commands for detection are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update or clone the NVIDIA Merlin Transformers4Rec software to a version that includes commit 27ddd49 or later in the NVIDIA-Merlin/Transformers4Rec repository. Applying this update addresses the code injection vulnerability. Users should ensure that all affected versions on Linux are upgraded accordingly. Additionally, evaluate your specific configurations and monitor NVIDIA's ongoing security bulletins for further guidance. [1]