Safety patches for the Merlin framework addressing two high-severity deserialization vulnerabilities. That might enable attackers to execute arbitrary code and launch denial-of-service assaults on affected Linux methods.
NVIDIA researchers have recognized two vulnerabilities in Merlin parts that leverage insecure deserialization.
Each CVE-2025-33214 and CVE-2025-33213 carry CVSS base scores of 8.8, indicating high-severity threats that require speedy consideration from system directors.
CVE IDDescriptionBase ScoreCWEVectorCVE-2025-33214NVIDIA NVTabular for Linux incorporates a vulnerability within the Workflow element, the place a person might trigger a deserialization situation. 8.8CWE-502AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HCVE-2025-33213NVIDIA Merlin Transformers4Rec for Linux incorporates a vulnerability within the Coach element the place a person could trigger a deserialization situation. 8.8CWE-502AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Crucial Deserialization Flaws Found
The vulnerabilities have an effect on NVTabular’s Workflow element and Transformers4Rec’s Coach element.
Profitable exploitation permits attackers to execute malicious code, set off denial-of-service situations, disclose delicate data, and tamper with important knowledge.
The assault vector requires low-complexity community entry and person interplay, making these vulnerabilities notably regarding for enterprise environments.
All variations of NVIDIA NVTabular and Merlin Transformers4Rec for Linux that lack particular safety commits are susceptible to those assaults.
Organizations working these frameworks should instantly replace their installations to guard towards potential exploits. NVIDIA has launched safety patches by means of GitHub commits.
For NVTabular, customers should replace to commit 5dd11f4 or later from the NVIDIA-Merlin/NVTabular repository. Transformers4Rec customers want to use commit 876f19e or later from the NVIDIA-Merlin/Transformers4Rec repository.
NVIDIA acknowledged the safety researcher for responsibly disclosing each vulnerabilities by means of coordinated disclosure.
The corporate launched the preliminary safety bulletin on December 9, 2025, offering remediation steering to affected organizations.
System directors ought to prioritize updating NVIDIA Merlin installations by cloning or updating the software program to incorporate the safety commits.
Organizations ought to go to NVIDIA Product Safety pages for added vulnerability data and subscribe to safety bulletin notifications for future updates.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
