CVE-2025-23304

Name
CVE-2025-23304
Description
NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by loading .nemo files with maliciously crafted metadata. A successful exploit of this vulnerability may lead to remote code execution and data tampering.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
psirt@nvidia.com https://nvd.nist.gov/vuln/detail/CVE-2025-23304
psirt@nvidia.com https://nvidia.custhelp.com/app/answers/detail/a_id/5686
psirt@nvidia.com https://www.cve.org/CVERecord?id=CVE-2025-23304

Match rules

CPE URI Source package Min version Max version
nvidia-nemo-framework == All versions prior to 2.3.2 == All versions prior to 2.3.2
cpe:2.3:a:nvidia:nemo:*:*:*:*:*:*:*:* nemo >= None < 24.12
cpe:2.3:a:nvidia:nemo:*:*:*:*:*:*:*:* nemo >= None < 2.3.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nemo edge-community 6.6.0-r1 Hugo Osvaldo Barrera <hugo@whynothugo.nl> possibly vulnerable
nemo edge-community 6.6.0-r0 Hugo Osvaldo Barrera <hugo@whynothugo.nl> possibly vulnerable
nemo edge-community 6.4.5-r1 Hugo Osvaldo Barrera <hugo@whynothugo.nl> possibly vulnerable
nemo edge-community 6.4.5-r0 Hugo Osvaldo Barrera <hugo@whynothugo.nl> possibly vulnerable
nemo edge-community 6.4.4-r0 Hugo Osvaldo Barrera <hugo@whynothugo.nl> possibly vulnerable
nemo edge-community 6.4.3-r0 Hugo Osvaldo Barrera <hugo@whynothugo.nl> possibly vulnerable
nemo edge-community 6.4.2-r0 Hugo Osvaldo Barrera <hugo@whynothugo.nl> possibly vulnerable
nemo 3.23-community 6.6.0-r1 Hugo Osvaldo Barrera <hugo@whynothugo.nl> possibly vulnerable
nemo 3.22-community 6.4.5-r0 Hugo Osvaldo Barrera <hugo@whynothugo.nl> possibly vulnerable