CVE-2025-23306

NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/ arguments.py component where an attacker could cause a code injection issue by providing a malicious input. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://nvd.nist.gov/vuln/detail/CVE-2025-23306	Technical Description
https://nvidia.custhelp.com/app/answers/detail/a_id/5685	Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2025-23306	Technical Description

Configurations

Configuration 1 (hide)

cpe:2.3:a:nvidia:megatron-lm:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-13 18:15

Updated : 2025-09-19 17:05

NVD link : CVE-2025-23306

Mitre link : CVE-2025-23306

CVE.ORG link : CVE-2025-23306

JSON object : View

Products Affected

nvidia

megatron-lm

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-23306", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-08-13T18:15:30.387", "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23306", "tags": ["Technical Description"], "source": "[email protected]"}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5685", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-23306", "tags": ["Technical Description"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/\narguments.py component where an attacker could cause a code injection issue by providing a malicious input. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering."}, {"lang": "es", "value": "NVIDIA Megatron-LM para todas las plataformas contiene una vulnerabilidad en el componente megatron/training/arguments.py que permite a un atacante causar un problema de inyecci\u00f3n de c\u00f3digo al proporcionar una entrada maliciosa. Una explotaci\u00f3n exitosa de esta vulnerabilidad puede provocar la ejecuci\u00f3n de c\u00f3digo, la escalada de privilegios, la divulgaci\u00f3n de informaci\u00f3n y la manipulaci\u00f3n de datos."}], "lastModified": "2025-09-19T17:05:36.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nvidia:megatron-lm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DCE9E29-E9C4-449E-B916-4C16C45E5F94", "versionEndExcluding": "0.12.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}