We use cookies to improve your experience on our site.
AVID-2026-R1664
Description
Vulnerability CVE-2025-23250
Details
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause an improper limitation of a pathname to a restricted directory by an arbitrary file write. A successful exploit of this vulnerability might lead to code execution and data tampering.
Reason for inclusion in AVID: CVE-2025-23250 describes a path traversal vulnerability in NVIDIA NeMo Framework enabling arbitrary file writes, potentially leading to code execution and data tampering. NeMo is a software framework used to build/train/deploy AI models, and is a dependency in AI pipelines; this constitutes a software supply chain issue affecting AI systems. The vulnerability is exploitable via network with user interaction requirements and has clear security impacts (RCE, data tampering), providing sufficient evidence for AI relevance and supply-chain relevance.
References
Affected or Relevant Artifacts
- Developer: NVIDIA
- Deployer: NVIDIA
- Artifact Details:
| Type | Name |
|---|---|
| System | NeMo Framework |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L |
| Base Score | 7.6 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | 🔴 High |
| Availability Impact | 🟢 Low |
CWE
| ID | Description |
|---|---|
| CWE-22 | CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-04-22
- Version: 0.3.3
- AVID Entry