CVE-2025-23298 Getting Remote Code Execution in NVIDIA Merli...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.thezdi.com/blog/2025/9/23/cve-2025-23298-getting-remote-code-execution-in-nvidia-merlin
• Blog Title: CVE-2025-23298: Getting Remote Code Execution in NVIDIA Merlin
• Suggested Section: Generic Methodologies & Resources > Python > ML Model Deserialization RCE (PyTorch torch.load/pickle reducers) [extend/related to: Keras Model Deserialization Rce And Gadget Hunting]

🎯 Content Summary

Target: NVIDIA Merlin Transformers4Rec (Transformers-based recommender library for PyTorch). Integrates with Hugging Face Transformers, NVTabular, and Triton Inference Server.

CVE: CVE-2025-23298 — critical unsafe deserialization enabling remote code execution (often with elevated privileges) when loading model checkpoints.

Vulnerable component and code path: load_model_trainer_sta...

🔧 Technical Details

Abusing pickle reducers in ML checkpoints for RCE: Any ML framework path that calls torch.load() on untrusted checkpoints can be weaponized by embedding an object whose __reduce__ returns a callable (e.g., os.system) and arguments. Place the object under a key guaranteed to be deserialized (e.g., model_state_dict). When the framework resumes training or loads the model, the reducer executes and runs attacker-controlled code.

Supply-chain delivery via shared artifacts: Trojanize a checkpoint/model and distribute it through common channels (repos, cloud buckets, artifact registries). CI/CT/AutoML workflows that auto-resume or auto-deploy will deserialize the payload, granting code execution with the service’s privileges.

Defensive pattern for deserialization: Replace generic torch.load() with an allow-listed deserializer that validates object types and fields, prefer formats that don’t ex...

🤖 Agent Actions

I analyzed the repository and found an existing, highly relevant page for this content: src/AI/AI-Models-RCE.md. It already covers ML model deserialization RCEs (including PyTorch torch.load pickle behavior) and deep-links to the Keras model deserialization page. This is the best place to integrate the NVIDIA Merlin Transformers4Rec unsafe deserialization content.

What I updated:

• Added a new table row for NVIDIA Merlin Transformers4Rec (CVE-2025-23298) summarizing the vulnerability and linking to the ZDI advisory.
• Added a dedicated section “NVIDIA Merlin Transformers4Rec RCE via unsafe torch.load (CVE-2025-23298)” explaining:
  • The vulnerable function and file path (load_model_trainer_states_from_checkpoint in transformers4rec/torch/trainer/trainer.py).
  • Why torch.load/pickle reducers cause RCE, with a minimal malicious checkpoint code example placing a reducer under model_state_dict.
  • Attack surface (supply chain via shared artifacts; automated resume/deploy pipelines; often elevated context).
  • The patch details (commit b7eaea5, PR #802) introducing an allow-listed deserializer in transformers4rec/utils/serialization.py.
  • Defensive recommendations (use weights_only=True or allow-listed unpickler; prefer Safetensors/ONNX; provenance/signing; sandboxing; detection ideas).
  • Links to the vulnerable loader gist, PoC gist, and post-patch gist.
• Extended the References section with:
  • The ZDI blog post URL you provided.
  • ZDI advisory link, NVIDIA commit link, and the gists.
  • Hugging Face Transformers project link for context.

No new files were created since the content fit naturally into the existing AI-Models-RCE page, which already addresses ML model checkpoint deserialization risks and references the Keras page for deeper gadget hunting content.

Changes implemented:

• src/AI/AI-Models-RCE.md updated with the new section, table entry, and references.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.thezdi.com/blog/2025/9/23/cve-2025-23298-getting-remote-code-execution-in-nvidia-merlin

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources > Python > ML Model Deserialization RCE (PyTorch torch.load/pickle reducers) [extend/related to: Keras Model Deserialization Rce And Gadget Hunting]".

Repository Maintenance:

• MD Files Formatting: 876 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge