A critical security flaw in NVIDIA's Merlin Transformers4Rec framework allows threat actors to execute code remotely with root-level access, raising alarm across the AI ecosystem. The vulnerability, tracked as CVE-2025-23298, stems from unsafe deserialization in the model checkpoint loading routine.

Attackers exploiting this flaw can submit crafted model files that, when deserialized via Python's built-in mechanisms, trigger arbitrary command execution within the process's context. Given that AI infrastructure often runs with escalated privileges in production, the outcome may extend far beyond a single model compromise.

NVIDIA confirmed that the patch is available in commit b7eaea5, which introduces stricter validation of serialized objects and limits the classes allowed during deserialization. The official security advisory lists affected versions of Transformers4Rec as“all versions not including commit b7eaea5”.

Merlin's Transformers4Rec is widely used in recommendation systems, especially in e-commerce and media platforms. It integrates with Hugging Face Transformers and pipelines leveraging PyTorch and Triton Inference Server, making it a critical link in many organisations' AI stacks.

Trend Micro's ZDI Threat Hunting Team flagged the issue during audits of AI frameworks, confirming that unsafe use of pickle underlies the flaw. In particular, the vulnerable function loadmodeltrainerstatesfrom_checkpoint called torch. load() without restrictions-effectively allowing a malicious serialized payload to execute system commands when loaded.

The severity of CVE-2025-23298 is rated high, with a CVSS 3.1 score of 7.8, reflecting the danger of confidentiality, integrity, and availability loss. Attack complexity is low, and no user interaction is required, though local access with low privileges is needed.

Security firms caution that the flaw is symptomatic of a broader problem in AI development: reliance on serialization tools that permit code execution if misused. The continued use of pickle in model persistence workflows is a major risk vector in machine learning supply chains.

Mitigation steps include upgrading to patched versions that enforce class-based white-listing for deserialized objects, using weights_only=True where possible, sandboxing model loading, and validating the origin of model artifacts. Organisations are urged to restrict systems' file access and monitor for anomalous execution activity.

Beyond the immediate patching, the industry is facing mounting pressure to adopt safer serialization formats like Safetensors or ONNX, combined with cryptographic signing of model files and hardened deployment architectures. Experts argue that machine learning security must shift from reactive patching to proactive, framework-level safeguards.

Several other NVIDIA frameworks have also been implicated in code injection vulnerabilities, including WebDataset, Apex, Isaac-GR00T, Megatron-LM, and NeMo. The company's broader August security bulletin addresses these in tandem, reflecting a coordinated response across its AI software portfolio.

MENAFN12102025000152002308ID1110184210