CVE-2025-23304 is a path traversal vulnerability classified under CWE-22 found in the NVIDIA NeMo Framework, a toolkit widely used for building and deploying AI models. The vulnerability resides in the model loading component that processes .nemo files, which contain model metadata. Due to improper limitation of pathname access, an attacker can craft malicious .nemo files with specially designed metadata that bypasses directory restrictions, enabling them to inject arbitrary code during the model loading process. This can lead to remote code execution (RCE), allowing attackers to execute arbitrary commands with the privileges of the process running NeMo. Additionally, data tampering is possible, compromising the integrity of AI models and potentially altering their behavior. The vulnerability affects all versions prior to 2.3.2 and requires low privileges and local access but does not require user interaction. The CVSS v3.1 score of 7.8 reflects high severity, with high impact on confidentiality, integrity, and availability. While no exploits are currently known in the wild, the nature of the flaw makes it a significant risk for organizations leveraging NVIDIA NeMo in AI workflows. The vulnerability was reserved in January 2025 and published in August 2025, indicating a recent discovery and disclosure. No official patch links are provided yet, but upgrading to version 2.3.2 or later is advised once available. The flaw highlights the importance of secure file handling and validation in AI frameworks to prevent supply chain and code injection attacks.

The vulnerability poses a critical risk to organizations using NVIDIA NeMo Framework for AI model development and deployment. Exploitation can lead to remote code execution, allowing attackers to gain control over affected systems, potentially leading to unauthorized access, data theft, or disruption of AI services. Data tampering risks undermine the integrity and trustworthiness of AI models, which can have cascading effects in applications relying on these models for decision-making, such as autonomous systems, healthcare, finance, and more. The requirement for low privileges and no user interaction lowers the barrier for exploitation, increasing the threat surface. Organizations with AI infrastructure that integrates NVIDIA NeMo are at risk of targeted attacks aiming to compromise AI pipelines or leverage compromised systems for lateral movement. The vulnerability also threatens availability if attackers disrupt AI services or corrupt models. Given the growing adoption of AI frameworks globally, the impact can be widespread, affecting both private sector and critical infrastructure entities.

1. Immediately upgrade NVIDIA NeMo Framework to version 2.3.2 or later once patches are available to address this vulnerability. 2. Implement strict validation and sanitization of all .nemo files before loading, ensuring metadata does not contain path traversal sequences or unauthorized file references. 3. Restrict file system permissions for directories used by NeMo to prevent unauthorized file creation or modification. 4. Employ application whitelisting and runtime application self-protection (RASP) to detect and block anomalous code execution attempts within AI model loading processes. 5. Monitor logs and file access patterns for suspicious activity related to .nemo file handling. 6. Isolate AI model loading environments using containerization or sandboxing to limit the impact of potential exploitation. 7. Educate developers and system administrators about secure handling of AI model files and the risks of loading untrusted models. 8. Coordinate with NVIDIA support and subscribe to security advisories for timely updates and patches.