NVIDIA Merlin Flaw Enables Remote Code Execution with Root Access
gbhackersA critical vulnerability in NVIDIA’s Merlin Transformers4Rec library allows attackers to achieve remote code execution with root privileges.
Discovered by the Trend Micro Zero Day Initiative (ZDI) Threat Hunting Team, the flaw stems from unsafe deserialization in the model checkpoint loading functionality.
Tracked as CVE-2025-23298, this vulnerability underscores the persistent security challenges in machine learning frameworks that rely on Python’s pickle serialization.
Discovery of Unsafe Deserialization
While auditing ML/AI frameworks for supply chain risks, ZDI researchers focused on how models are persisted and loaded.
In Transformers4Rec’s load_model_trainer_states_from_checkpoint function, PyTorch’s torch.load() is used without sandboxing or class restrictions.
| CVE | Affected Product | Impact | CVSS 3.1 Score |
| CVE-2025-23298 | NVIDIA Merlin Transformers4Rec | Remote Code Execution as root | 9.8 |
Because torch.load() uses Python’s pickle protocol, it can execute arbitrary code during deserialization.
ZDI confirmed that loading a crafted checkpoint file could trigger root-level commands immediately ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE