SB2026051924 - Two vulnerabilities in NVIDIA NeMo Framework
Published: May 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Code Injection (CVE-ID: CVE-2025-23361)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data.
The vulnerability exists due to improper control of code generation in a script when processing malicious input. A local user can provide malicious input to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data.
2) Code Injection (CVE-ID: CVE-2025-33178)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data.
The vulnerability exists due to code injection in the bert services component when processing malicious data. A local user can provide malicious data to execute arbitrary code, escalate privileges, disclose sensitive information, and tamper with data.
Remediation
Install update from vendor's website.