A critical vulnerability in NVIDIA\u2019s<\/a> Merlin Transformers4Rec library (CVE-2025-23298) enables unauthenticated attackers to achieve remote code execution (RCE) with root privileges via unsafe deserialization in the model checkpoint loader.\u00a0<\/p>\n The discovery underscores the persistent security risks inherent in ML\/AI frameworks\u2019 reliance on Python\u2019s pickle serialization.<\/p>\n Trend Micro\u2019s Zero Day Initiative (ZDI) stated that the vulnerability resides in the load_model_trainer_states_from_checkpoint function, which uses PyTorch\u2019s torch.load() without safety parameters. Under the hood, torch.load() leverages Python\u2019s pickle module, allowing arbitrary object deserialization<\/a>.\u00a0<\/p>\n Attackers can embed malicious code in a crafted checkpoint file\u2014triggering execution when untrusted pickle data is loaded. In the vulnerable implementation, cloudpickle loads the model class directly:<\/p>\n This approach grants attackers full control of the deserialization process. By defining a custom __reduce__ method, a malicious checkpoint can execute arbitrary system commands upon loading, e.g., calling os.system() to fetch and execute a remote script.<\/p>\n The attack surface is vast: ML practitioners routinely share pre-trained checkpoints via public repositories or cloud storage. Production ML pipelines often run with elevated privileges<\/a>, meaning a successful exploit not only compromises the model host but can also escalate to root-level access.<\/p>\n To demonstrate the flaw, researchers crafted a malicious checkpoint:<\/p>\n Loading this checkpoint via the vulnerable function triggers the embedded shell command prior to any model weight restoration\u2014resulting in immediate RCE under the context of the ML service.<\/p>\n NVIDIA addressed the issue in PR #802 by replacing raw pickle calls with a custom load() function that whitelists approved classes.\u00a0<\/p>\n The patched loader in serialization.py enforces input validation, and developers are encouraged to use weights_only=True in torch.load() to avoid untrusted object deserialization.<\/p>\n Developers must never use pickle on untrusted data and should restrict deserialization to known, safe classes.\u00a0<\/p>\n Alternative formats\u2014such as Safetensors or ONNX\u2014offer safer model persistence. Organizations should enforce cryptographic signing of model files, sandbox deserialization processes, and include ML pipelines in regular security audits.\u00a0<\/p>\n The broader community must advocate for security-first design principles and deprecate pickle-based mechanisms altogether.<\/p>\n Until pickle reliance is eliminated, similar vulnerabilities will persist. Vigilance, robust input validation, and a zero-trust mindset remain crucial to safeguarding production ML systems against supply-chain and RCE threats.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post NVIDIA Merlin Vulnerability Allow Attacker to Achieve Remote Code Execution With Root Privileges<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nNVIDIA Merlin Vulnerability<\/strong><\/h2>\n
![\"NVIDIA](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-154.png?resize=681%2C160&ssl=1\")
<\/figure>\n<\/div>\n![\"NVIDIA](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-155.png?resize=734%2C141&ssl=1\")
<\/figure>\n<\/div>\n![\"Patch](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-156-1024x668.png?resize=1024%2C668&ssl=1\")
\n\n
\n Risk Factors<\/strong><\/td>\n Details<\/strong><\/td>\n<\/tr>\n \n Affected Products<\/td>\n NVIDIA Merlin Transformers4Rec \u2264 v1.5.0<\/td>\n<\/tr>\n \n Impact<\/td>\n Remote code execution as root<\/td>\n<\/tr>\n \n Exploit Prerequisites<\/td>\n Attacker-supplied model checkpoint loaded via torch.load()<\/td>\n<\/tr>\n \n CVSS 3.1 Score<\/td>\n 9.8 (Critical)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n