CVE-2025-33213

HIGH

Published December 9, 2025

CISO Take

NVIDIA Merlin Transformers4Rec contains a high-severity deserialization flaw (CWE-502) in its Trainer component enabling remote code execution when a user loads a malicious artifact. If your ML teams use this library for transformer-based recommendation systems, patch immediately via NVIDIA advisory ID 5739. Until patched, restrict Trainer inputs to internally signed, verified sources only and sandbox training workloads.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Moderate

Recommended Action

1. Patch: Apply NVIDIA's fix immediately per advisory https://nvidia.custhelp.com/app/answers/detail/a_id/5739. 2. Inventory: Audit all environments running Merlin Transformers4Rec Trainer across dev, staging, and production. 3. Restrict inputs: Enforce strict allowlists on model checkpoint and artifact sources; only load files from internally verified, cryptographically signed repositories. 4. Isolate training workloads: Run training jobs in sandboxed containers with restricted syscalls (seccomp/AppArmor) to limit blast radius. 5. Detect: Monitor for unexpected process spawning, outbound network connections, or anomalous file writes from training processes; alert on deserialization of externally sourced pickle/joblib files. 6. Audit MLOps pipelines: Identify any automated pipeline that ingests unvalidated model artifacts from external or user-supplied sources and gate with artifact validation.

Classification

Code Execution Supply Chain Data Extraction Framework Training Data Model AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.1 - AI supply chain management A.6.2 - AI system lifecycle security

NIST AI RMF

GOVERN 6.1 - Policies for AI risk and vulnerability management GOVERN-1.7 - Processes for identifying and managing AI risks across the lifecycle MANAGE 2.4 - Risks associated with third-party entities MANAGE-2.2 - Mechanisms to detect, respond to, and recover from AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Technical Details

NVD Description

NVIDIA Merlin Transformers4Rec for Linux contains a vulnerability in the Trainer component, where a user could cause a deserialization issue. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.

Exploitation Scenario

An adversary crafts a malicious serialized Python object (via pickle) embedded in a model checkpoint file for a transformer-based recommendation model. They distribute it through a poisoned model registry, a shared S3 bucket with lax permissions, or a spearphishing email with a convincing 'pre-trained Merlin model for fine-tuning' attachment. When an ML engineer loads the artifact into the Trainer component for fine-tuning or evaluation, deserialization fires arbitrary code execution on their training host — which typically has privileged access to internal data lakes, cloud storage credentials, and GPU cluster orchestration APIs. The adversary exfiltrates training data, implants a persistent backdoor in the model or training environment, or pivots laterally into the broader MLOps infrastructure.

Weaknesses (CWE)

CWE-502 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published

December 9, 2025

Last Modified

December 9, 2025

First Seen

December 9, 2025

Back to Threat Feed