Primary

Context

NVIDIA Merlin Transformers4Rec Deserialization Vulnerability in Trainer Component Allowing Code Execution

Vulnerability

A deserialization vulnerability has been identified in the Trainer component of NVIDIA Merlin Transformers4Rec for Linux. This issue allows a user to manipulate the deserialization process, potentially leading to code execution, denial of service, information disclosure, and data tampering.

Impact

Exploitation of this vulnerability could result in unauthorized code execution, disruption of service, unauthorized information access, and unauthorized data modification.

Remediation

Users are advised to update to any code branch that includes commit 876f19e. For more information, visit the NVIDIA Product Security page.

Added: Dec 9, 2025, 11:08 PM

Updated: Dec 9, 2025, 11:08 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NVIDIA Merlin Transformers4Rec Deserialization Vulnerability in Trainer Component Allowing Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating