CVE-2025-33233

HIGH

Published January 20, 2026

CISO Take

NVIDIA Merlin Transformers4Rec contains a code injection flaw (CWE-94) that allows a local low-privileged attacker to achieve full code execution with no user interaction. Organizations running Transformers4Rec in shared ML compute environments, GPU clusters, or multi-tenant data science platforms should patch immediately — local access in these environments is routine for many users. Audit all deployments and enforce least-privilege on ML workloads as an interim control.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Apply NVIDIA's fix referenced in advisory a_id/5761 immediately. Monitor NVIDIA Security Bulletins for updated package versions. 2. ISOLATION: Until patched, restrict Transformers4Rec execution to dedicated, single-tenant environments — no shared Jupyter servers or multi-user ML platforms. 3. LEAST PRIVILEGE: Enforce strict OS-level user isolation on ML compute nodes; run training jobs under dedicated service accounts with no write access to model artifact stores. 4. DETECTION: Monitor for anomalous process spawning from Python interpreter processes on ML nodes (e.g., unexpected shell invocations, network connections from training jobs). Alert on unexpected writes to model artifact directories. 5. SBOM AUDIT: Enumerate all internal pipelines and MLOps tooling that depend on Transformers4Rec via pip/conda dependency trees. 6. CONTAINER HARDENING: If running in containers, ensure seccomp/AppArmor profiles block unexpected syscalls from ML workloads.

Classification

Code Execution Auth Bypass Supply Chain Framework Training Data Model AML.T0010.001 - AI Software AML.T0018.002 - Embed Malware AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 17 - Quality Management System Article 9 - Risk Management System

ISO 42001

8.4 - AI System Risk Management — Technical Controls A.6.2.6 - AI System Software Development and Maintenance A.9.3 - AI Supply Chain Management

NIST AI RMF

GOVERN-1.7 - Organizational practices and policies for AI risk management MAP 5.1 - Likelihood and Impact of Each Identified Risk MEASURE 2.5 - AI Risk Measurement — Vulnerability Identification

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities LLM08:2025 - Vulnerability in Integrated Components (Vector and Embedding Weaknesses)

Technical Details

NVD Description

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Exploitation Scenario

An attacker with low-privileged access to a shared GPU training server (e.g., a data scientist account, compromised CI/CD runner, or malicious insider) crafts a malicious serialized object or configuration input that Transformers4Rec processes without proper sanitization. The injected code executes in the context of the training process, which may run with elevated privileges to access GPU resources or network-attached storage. The attacker pivots to: (1) exfiltrate user behavioral training data from the dataset store, (2) modify model checkpoint files to embed a backdoor that activates on specific inputs in production, or (3) establish persistence on the ML server by modifying shared pipeline scripts. In Kubernetes-based MLOps platforms, the attacker may escape the training pod and access cluster secrets.

Weaknesses (CWE)

CWE-94 Primary

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published

January 20, 2026

Last Modified

January 26, 2026

First Seen

January 20, 2026

Back to Threat Feed